OpenSSL 3.0.0 FIPS compatible ECDH-KAS
Dr Paul Dale
pauli at openssl.org
Wed Sep 22 22:29:09 UTC 2021
Adding that should be enough to force only FIPS validated algorithms are
used.
Just doing that isn't enough, there is more you are going to need to
do. E.g. you will need to load the FIPS and base providers either via
config or explicitly.
It's possible to set the default properties via config too.
Everything is documented and I'd recommend starting with the migration
guide manual page and working from there.
In my opinion, the 1.0 -> 1.1 transition is the more onerous part.
Pauli
On 23/9/21 3:44 am, Kory Hamzeh wrote:
> I have an OpenSSL app which performs ECDH-KAS using openssl-1.0.1g + openssl-fips-2.0.5. It needs to be FIPS compatible. The app was written using the low level ECDH functions similar to what is documented here:
>
> https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman#Using_the_Low_Level_APIs
>
> According to the OpenSSL 3.0.0 Wiki, I MUST rewrite my code to use the high level EVP functions if I want FIPS compatibility. If so, I was going to follow the EVP example at the top of the same URL above.
>
> However, I can use some help. Using the EVP example on that page, when and which methods do I need to fetch? If I just add this at the top:
>
> EVP_set_default_properties(NULL, "fips=yes”);
>
> will that be enough?
>
> Thanks,
> Kory
>
>
>
>
More information about the openssl-users
mailing list