FIPS Client on Windows for 3.X
Matt Caswell
matt at openssl.org
Wed Aug 23 09:44:13 UTC 2023
On 23/08/2023 01:45, Robert Brown via openssl-users wrote:
> Hi,
>
> I'm working on a Windows Program that utilizes the OpenSSL libraries and
> DLLs. I'm looking to enable FIPS in some cases (where it is required by
> the user). Currently, I'm looking at restarting the program when the
> FIPS mode is changed and changing the loaded provider.
>
> I've compiled and installed OpenSSL 3.1 with the enable-fips option, run
> the fips install, generated the .cnf file, and copied the FIPS module
> along with the .cnf to my program I'm following the code provided at
> https://wiki.openssl.org/index.php/OpenSSL_3.0
> <https://wiki.openssl.org/index.php/OpenSSL_3.0> under the
> _Programmatically loading the FIPS module (default library context)_
> heading. I'm not able to load the FIPS module, the provider value is null.
A better link to use is this one (its probably more up-to-date):
https://www.openssl.org/docs/man3.1/man7/fips_module.html
>
> Is there anything I'm missing here or pointers to reference material
> folks can provide me?
If after attempting to load the provider you get NULL back then it is
usually worth checking the OpenSSL error stack, e.g. via ERR_print_errors().
https://www.openssl.org/docs/man3.1/man3/ERR_print_errors.html
A frequent problem is that either the config file or the module is not
found.
OpenSSL will look in a standard directory for fips.dll (the MODULESDIR
returned by "openssl version -m"). If the OPENSSL_MODULES environment
variable has been set then it will look for fips.dll in that directory
instead. Check that fips.dll is in the expected location.
Matt
>
> As a side not I'm wondering if anyone has tips for running the
> fips-install command on each client as it seems we can't copy config
> files between machines.
>
> Thanks,
>
> Robert
More information about the openssl-users
mailing list