fipsinstall fails without the default provider enabled
Jan Lana
jan.lana at oracle.com
Wed Jun 22 10:14:35 UTC 2022
The openssl fipsinstall command fails if the default provider is not
enabled. Is it expected or is it a bug?
openssl.cnf:
...
[openssl_init]
providers = provider_sect
[provider_sect]
base = base_sect
[base_sect]
activate = 1
...
LD_LIBRARY_PATH=/usr/local/lib64 /usr/local/bin/openssl fipsinstall -module /usr/local/lib64/ossl-modules/fips.so
Unable to get MAC of type HMAC
INSTALL FAILED
00A19AFCB27F0000:error:0308010C:digital envelope
routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:317:Global
default library context, Algorithm (HMAC : 0), Properties (<null>)
(tested on linux-x86_64 configuration, changeset
5317b6ee1fc3db20de5976fbb46cc49a45c0768a)
With the configuration "only fips+base provider" (according to
https://www.openssl.org/docs/manmaster/man7/fips_module.html) it is not
possible to make an update - it is necessary to enable the default
provider, call fipsinstall and disable the default provider again. Of
course, this can be done, but it is annoying
The openssl-fipsinstall indicates that this behavior is expected:
...
For normal usage the base configuration file should use the default
provider when generating the fips configuration file.
...
thanks,
- jenda
More information about the openssl-users
mailing list