[External] : Regarding FIPS 140-2 support on embedded target
Thomas Dwyer III
thomas.dwyer at oracle.com
Wed Nov 15 19:31:56 UTC 2023
On 11/15/23 05:33, manjunatha srinivasan wrote:
[...]
> Below are changes in file /etc/ssl/openssl.cnf.
> -------------
> --- /home/root/backup-openssl/openssl.cnf 2023-11-14
> 16:28:59.117481173 +0000
> +++ /etc/ssl/openssl.cnf 2023-11-14 17:19:55.627228042 +0000
> @@ -8,6 +8,7 @@
> # Note that you can include other files from the main configuration
> # file using the .include directive.
> #.include filename
> +.include /usr/lib/ssl-3/fipsmodule.cnf
>
> # This definition stops the following lines choking if HOME isn't
> # defined.
> @@ -64,8 +65,11 @@
My guess is that you're including fipsmodule.cnf in the wrong place.
That location is in the "default" section (per
https://www.openssl.org/docs/manmaster/man5/config.html) which is where
this important line resides:
openssl_conf = openssl_init
The result is that your fipsmodule.cnf effectively eliminates the
default section and puts the above line inside the [fips_sect] section.
Nothing else is going to work correctly because of this. Try moving your
".include" statement down lower, perhaps immediately before the start of
the [openssl_init] section.
Tom.III
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20231115/6d31af9c/attachment.htm>
More information about the openssl-users
mailing list