Questions re building/using OpenSSL 3 with FIPS
Matt Caswell
matt at openssl.org
Thu Jun 15 13:37:20 UTC 2023
On 15/06/2023 13:55, Vivek V via openssl-users wrote:
> Hello,
>
> We are in the process of building and deploying OpenSSL with the FIPS
> module. We want to make sure we are doing it the right way, and have a
> few questions:
>
> **Config file**
>
> Are there any stipulations on the contents of the config file? Our
> preferred plan is to have a minimal openssl.cnf file, with following
> contents, that in turn references the fips config file:
Looks fine to me.
> An alternate plan for the config file is to merge both of the above into
> a single config file, and load it.
This might be a bit of a grey area. To have a validated module you must
follow the installation instructions in the security policy (appendix
A). Since that doesn't mention any subsequent editing or merging of the
module config file with the main config file I'm not sure whether that
would be acceptable.
>
> Any concerns with either of the above options?
>
> **FIPS self-tests**
> From the docs, I see two alternatives to do the FIPS self-tests: (i)
> Doing "make install_fips" on each instance, or (ii) Running the openssl
> tool with fipsinstall option.
>
> The former is not feasible for us since we cannot/don't want to build
> openssl on each endpoint. Which leaves the latter ("openssl
> fipsinstall") as the only feasible option.
>
> Is this understanding correct? And in particular, "openssl fipsinstall"
> is an acceptable choice to do the fips self-tests, correct?
Yes.
>
> **Building different openssl assets at different versions**
> We obviously want to use the fips module fully complying with its
> certification. In particular, we will be building the fips module off
> OpenSSL 3.0.8.
>
> There are a few other assets we require: the static libcrypto and libssl
> libs, and the openssl tool. We plan to build these off the latest 3.0.x
> release, which happens to be 3.0.9 currently. This is so as to benefit
> from any fixes that are in the latest version.
>
> Is the above fine? ie building the static libcrypto and libssl libs and
> the openssl tool (and any other non-fips assets) off 3.0.9, and using
> them in conjunction with the 3.0.8 fips provider?
Yes this is all fine. Indeed running the latest version of
libcrypto/libssl with a validated version of the fips provider is the
recommended way to do things. From our "Download" page:
"Please follow the Security Policy instructions to download, build and
install a validated OpenSSL FIPS provider. Other OpenSSL Releases MAY
use the validated FIPS provider, but MUST NOT build and use their own
FIPS provider. For example you can build OpenSSL 3.1 and use the OpenSSL
3.0.8 FIPS provider with it."
https://www.openssl.org/source/
The example given on the download page is using 3.1 with the 3.0.8
provider. But it applies equally well to using 3.0.9 with the 3.0.8
provider.
Matt
More information about the openssl-users
mailing list