OpenSSL 3.0.0 FIPS compatible ECDH-KAS

Dr Paul Dale pauli at openssl.org
Wed Sep 22 22:29:09 UTC 2021


Adding that should be enough to force only FIPS validated algorithms are 
used.

Just doing that isn't enough, there is more you are going to need to 
do.  E.g. you will need to load the FIPS and base providers either via 
config or explicitly.

It's possible to set the default properties via config too.


Everything is documented and I'd recommend starting with the migration 
guide manual page and working from there.

In my opinion, the 1.0 -> 1.1 transition is the more onerous part.


Pauli

On 23/9/21 3:44 am, Kory Hamzeh wrote:
> I have an OpenSSL app which performs ECDH-KAS using openssl-1.0.1g + openssl-fips-2.0.5. It needs to be FIPS compatible. The app was written using the low level ECDH functions similar to what is documented here:
>
> https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman#Using_the_Low_Level_APIs
>
> According to the OpenSSL 3.0.0 Wiki, I MUST rewrite my code to use the high level EVP functions if I want FIPS compatibility. If so, I was going to follow the EVP example at the top of the same URL above.
>
> However, I can use some help. Using the EVP example on that page, when and which methods do I need to fetch? If I just add this at the top:
>
>    EVP_set_default_properties(NULL, "fips=yes”);
>
> will that be enough?
>
> Thanks,
> Kory
>
>
>
>



More information about the openssl-users mailing list