command 'openssl ciphers -v -provider fips' shows not complain algorithms
Matt Caswell
matt at openssl.org
Wed Jan 26 12:40:13 UTC 2022
On 26/01/2022 11:27, Jan Lana wrote:
> Hi,
>
> When I run
> openssl ciphers -v -provider fips | grep TLS_CHACHA20_POLY1305_SHA256
>
> it shows this non complain cipher is available.
This looks correct behaviour to me. Your openssl.cnf file is explicitly
activating the default provider. The "-provider" option is additive.
Since your config file activates the default provider, you end up with
both the default and fips providers active.
> To add '-propquery
> fips=yes' argument does not help. IMHO it is not correct behavior.
This is a bug. Fix here:
https://github.com/openssl/openssl/pull/17595
Matt
>
>
> I have the default and fips providers enabled in openssl.cnf:
>
> openssl_conf = openssl_init
>
> .include /usr/local/ssl/fipsmodule.cnf
>
> [openssl_init]
> providers = provider_sect
>
> [provider_sect]
> fips = fips_sect
> default = default_sect
>
> [default_sect]
> activate = 1
>
>
> For testing I use docker.io/salrashid123/openssl:fips image with
> modified /usr/local/ssl/openssl.cnf.
>
> When I add 'alg_section = algorithm_sect' to [openssl_init] section
> defined as follows:
>
> [algorithm_sect]
> default_properties = fips=yes
>
> the command 'openssl cipher -v' shows just fips compliant ciphers.
>
> I found it when I try to build stunnel 5.62 and one of their test fails.
> The test uses OSSL_PROVIDER_load() to load fips provider and then set
> ciphersuite to TLS_CHACHA20_POLY1305_SHA256. Expected results is that
> there is no complain cipher.
> (https://github.com/mtrojnar/stunnel/blob/178822afdefb0798fb937f6b5f43b47c5ab77613/tests/plugins/p11_fips_cipher.py#L78)
>
>
> Thanks in advance,
> - jenda
>
More information about the openssl-users
mailing list