<div dir="ltr">Hi Tom,<div><br></div><div>Thanks a lot for clarifying the doubt. </div><div><br></div><div>Regards</div><div>Jayalakshmi</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 10, 2015 at 8:44 AM, Tom Francis <span dir="ltr"><<a href="mailto:thomas.francis.jr@pobox.com" target="_blank">thomas.francis.jr@pobox.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class=""><br>
> On Sep 10, 2015, at 8:44 AM, Jayalakshmi bhat <<a href="mailto:bhat.jayalakshmi@gmail.com">bhat.jayalakshmi@gmail.com</a>> wrote:<br>
><br>
> Hello all,<br>
><br>
> I have a question on FIPS. We have OpenSSL FIPS module integrated with our product. We have an option to enable/disable FIPS at run time. We are executing the following openSSL API's every time when FIPS status changes.<br>
<br>
</span>Typically, this is not allowed; you must restart your application in order to switch in or out of FIPS approved mode. Your customer’s auditor (or your auditor) may believe differently, but my former employer had auditors make it very clear that an application must never switch into or out of FIPS approved mode without restarting the application (and most of the auditors wanted us to require the user to reboot their entire system to make the switch; fortunately they were willing to allow the application with just an extra note recommending the user reboot after modifying the setting).<br>
<span class=""><br>
> {<br>
> We have mapped OpenSSL crypto locks to mutex intenally. Hence we delete it and create it every time when FIPS status changes.<br>
> ERR_free_strings()<br>
> ERR_remove_state(0);<br>
> EVP_cleanup();<br>
> SSL_library_init()<br>
> SSLeay_add_all_algorithms()<br>
> }<br>
><br>
> Without executing this we are hitting the error, error:0409A09E:lib(4):func(154):reason(158). I wanted to know if our approach is correct?<br>
<br>
</span>IIRC you should be able to switch in and out of FIPS appoved mode by simply calling FIPS_mode_set() with the appropriate argument. I know this worked with the FIPS 1.2 module, but I never bothered to try it with the 2.0 module (see above about allowed uses). I wouldn’t recommend trying to uninitialize and re-initialize OpenSSL, though — while probably safe, it seems like a bad idea. If this is a long-running program that can do multiple things at a time, it’s definitely a bad idea to allow a toggle like that — someone might’ve started a task, then turned on FIPS approved mode — if the task hasn’t done anything with OpenSSL yet, it’ll probably be done with FIPS approved mode, but was that the user’s intent? I’d recommend that when a user changes the setting, you store the setting and inform the user that the new setting will take affect only after restarting the application.<br>
<br>
I really doubt you’ll be allowed to switch FIPS approved mode on and off with just a simple toggle (even if it works technically).<br>
<br>
<br>
> Regards<br>
> Jayalakshmi<br>
<div class="HOEnZb"><div class="h5">> _______________________________________________<br>
> openssl-users mailing list<br>
> To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
<br>
_______________________________________________<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
</div></div></blockquote></div><br></div>