Need Help on OpenSSl 3.0.x and FIPS enablement

Dmitry Belyavsky beldmit at gmail.com
Tue Feb 28 21:51:34 UTC 2023


Dear PCRaghavendra,

If you call OPENSSL_init_crypto with proper flags from your
application, OpenSSL will load the config file automatically.

You also should add the section named [alg_section] in the config file
and add a line
default_properties = fips=yes

according to https://www.openssl.org/docs/man3.0/man5/config.html

In your program you can use the EVP_default_properties_enable_fips for
this purpose.

Hope this helps.

On Tue, Feb 28, 2023 at 6:52 PM Prasad, PCRaghavendra via
openssl-users <openssl-users at openssl.org> wrote:
>
> Hi Team,
>
>
>
> Our team has started migrating from OpenSSL 1.0.2 to OpenSSL 3.0.x version.
>
> We are doing POC for the same on windows and Linux.
>
>
>
> We have a tight schedule to finish the migration by April 1st week as we need to fix one critical BD issue and support TLS 1.3 feature as well.
>
>
>
> The team and I are going through multiple docs of OpenSSL 3.x and trying to figure out how to configure fips once we build the OpenSSL.
>
>
>
> Few things:
>
> In openssl 3.0.x Fips module is installed/integrated by default (enable-fips) during the build step
> Fipsmodule.cnf is present in the default location (c:\usr\local\ssl\)
> After reading multiple ways on how to enable fips, one way is the config way where we need to change few params in openssl.cnf
> By changing that and we did the test using openssl.exe ( sha1 passed and md5 failed) all good
> Now the challenge is we need to set the fips enablement programmatically which we were going through multiple docs (openssl and some forums)
> Till now we used OpenSSL 1.0.2 where the fipsmodule is embedded in libcrypto and we need to set it at the beginning of the application (fips_mode_set()) and everything else is taken care by default.
> Now with OpenSSL 3.0.x how to set that fips mode for the entire application is not very clear
> Very where they are talking about the config files, our application is a standalone application that bundles all the required libs(crypto/SSL) and runs on its own, it will not refer to any system config/lib files
> So our doubt is if we build on the application on build machine containing OpenSSL 3.0.x and create an artifact. We need to run on different machines.
> In OpenSSL 3.0.x is there any hard dependency on the .cnf files should we carry them in our artifact and if so should we install them in the default path like ( C:\usr or /us/local) which we were not doing till now?
>
>
>
> Any input on this will be really helpful
>
>
>
> Thanks,
>
> Raghavendra
>
>
> Internal Use - Confidential



-- 
SY, Dmitry Belyavsky


More information about the openssl-users mailing list