fipsinstall fails without the default provider enabled

Jan Lana jan.lana at oracle.com
Wed Jun 22 10:14:35 UTC 2022


The openssl fipsinstall command fails if the default provider is not 
enabled.  Is it expected or is it a bug?

openssl.cnf:
   ...
   [openssl_init]
   providers = provider_sect

   [provider_sect]
   base = base_sect

   [base_sect]
   activate = 1
   ...

LD_LIBRARY_PATH=/usr/local/lib64 /usr/local/bin/openssl fipsinstall -module /usr/local/lib64/ossl-modules/fips.so
   Unable to get MAC of type HMAC
   INSTALL FAILED
   00A19AFCB27F0000:error:0308010C:digital envelope 
   routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:317:Global 
   default library context, Algorithm (HMAC : 0), Properties (<null>)

(tested on  linux-x86_64 configuration, changeset 
5317b6ee1fc3db20de5976fbb46cc49a45c0768a)

With the configuration "only fips+base provider" (according to 
https://www.openssl.org/docs/manmaster/man7/fips_module.html) it is not 
possible to make an update - it is necessary to enable the default 
provider, call fipsinstall and disable the default provider again. Of 
course, this can be done, but it is annoying

The openssl-fipsinstall indicates that this behavior is expected:
   ...
   For normal usage the base configuration file should use the default 
   provider when generating the fips configuration file.
   ...

thanks,
- jenda


More information about the openssl-users mailing list