[openssl-users] Using FIPS mode and modifying apps

Marcus Meissner meissner at suse.de
Thu Jan 15 10:52:55 UTC 2015


On Thu, Jan 15, 2015 at 05:46:22AM -0500, jonetsu at teksavvy.com wrote:
> On Tue, 13 Jan 2015 21:33:49 -0500
> "jonetsu at teksavvy.com" <jonetsu at teksavvy.com> wrote:
> 
> > So basically every app that uses libssl will have to be modified to
> > add a FIPS_mode_set() call near the beginning.  Is that right ?
> 
> Is there a way to automatically have the FIPS test executed when an
> application loads the library, w/o the application being modified ?  Is
> such a way used at all ?

This is actually mandated these days.

The library should do this in its ELF constructor for instance.

On Linux usually triggered by /proc/sys/crypto/fips_enabled containing "1"
or the environment variable OPENSSL_FORCE_FIPS_MODE=1 (at least for the certs
done by SUSE and Redhat, which do not use the container blob).

Ciao, Marcus


More information about the openssl-users mailing list