Static OpenSSL 3 library with FIPS
Matt Caswell
matt at openssl.org
Mon Mar 28 07:38:56 UTC 2022
On 25/03/2022 20:59, Paul Spencer wrote:
>
> Thanks for the info.
>
> You mean both libssl.a and libcrypto.a static, and then dynamically
> loaded fips.so, correct?
Yes.
> Unfortunately that gets away from the
> single-binary-executable model and so is a somewhat major change.
Yes. As noted this was a deliberate day 1 design decision.
Matt
>
>
> -----Original Message-----
> *From*: Matt Caswell <matt at openssl.org
> <mailto:Matt%20Caswell%20%3cmatt at openssl.org%3e>>
> *To*: openssl-users at openssl.org <mailto:openssl-users at openssl.org>
> *Subject*: [EXTERNAL] Re: Static OpenSSL 3 library with FIPS
> *Date*: Fri, 25 Mar 2022 20:22:02 +0000
>
>
> On 25/03/2022 18:33, Paul Spencer wrote:
>
>> Q: Is it possible to have a static (.a) OpenSSL 3 library with FIPS support?
>>
>> This was possible with OpenSSL 1.0.2 and the FIPS 2.0.x module (and
>> special linking in the Makefile). However, with SSL3, if I go
>>
>> Configure no-module enable-fips
>>
>> then it silently disables FIPS. Is there any way to do this?
>>
>
> You can have a static libcrypto (.a) with a dynamically loaded FIPS
>
> module (i.e. using fips.so).
>
>
> Configure no-shared enable-fips
>
>
> You cannot have a statically linked FIPS module. It was a day 1 design
>
> decision that we would no longer support this.
>
>
> Matt
>
More information about the openssl-users
mailing list