[openssl-users] Using FIPS mode and modifying apps
meissner at suse.de
Thu Jan 15 10:52:55 UTC 2015
On Thu, Jan 15, 2015 at 05:46:22AM -0500, jonetsu at teksavvy.com wrote:
> On Tue, 13 Jan 2015 21:33:49 -0500
> "jonetsu at teksavvy.com" <jonetsu at teksavvy.com> wrote:
> > So basically every app that uses libssl will have to be modified to
> > add a FIPS_mode_set() call near the beginning. Is that right ?
> Is there a way to automatically have the FIPS test executed when an
> application loads the library, w/o the application being modified ? Is
> such a way used at all ?
This is actually mandated these days.
The library should do this in its ELF constructor for instance.
On Linux usually triggered by /proc/sys/crypto/fips_enabled containing "1"
or the environment variable OPENSSL_FORCE_FIPS_MODE=1 (at least for the certs
done by SUSE and Redhat, which do not use the container blob).
More information about the openssl-users