FIPS Client on Windows for 3.X
Dr Paul Dale
pauli at openssl.org
Wed Aug 30 00:17:56 UTC 2023
I'll also note that _no_ version of OpenSSL 3.1 is currently FIPS
validated. Building 3.1 with enable-fips will _not_ give you a FIPS
compliant installation.
To be FIPS compliant, you _must_ build the FIPS provider from the 3.0.0
or 3.0.8 source code releases.
The FIPS provider built there will work with OpenSSL 3.1.
Instructions for this are in the README_FIPS.md
<https://github.com/openssl/openssl/blob/master/README-FIPS.md> file in
the /Installing the FIPS provider and using it with the latest release/
section.
Dr Paul Dale
On 23/8/23 10:45, Robert Brown via openssl-users wrote:
> Hi,
>
> I'm working on a Windows Program that utilizes the OpenSSL libraries
> and DLLs. I'm looking to enable FIPS in some cases (where it is
> required by the user). Currently, I'm looking at restarting the
> program when the FIPS mode is changed and changing the loaded provider.
>
> I've compiled and installed OpenSSL 3.1 with the enable-fips option,
> run the fips install, generated the .cnf file, and copied the FIPS
> module along with the .cnf to my program I'm following the code
> provided at https://wiki.openssl.org/index.php/OpenSSL_3.0
> <https://wiki.openssl.org/index.php/OpenSSL_3.0> under the
> _Programmatically loading the FIPS module (default library context)_
> heading. I'm not able to load the FIPS module, the provider value is null.
>
> Is there anything I'm missing here or pointers to reference material
> folks can provide me?
>
> As a side not I'm wondering if anyone has tips for running the
> fips-install command on each client as it seems we can't copy config
> files between machines.
>
> Thanks,
>
> Robert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230830/52cec808/attachment.htm>
More information about the openssl-users
mailing list