[openssl-users] OpenSSL FIPS (0.9.8) coexisting with non-FIPS (1.0.1)

Steve Marquess marquess at openssl.com
Fri Jan 16 22:25:44 UTC 2015

On 01/16/2015 04:23 PM, Nou Dadoun wrote:
> We are currently using FIPS and non-FIPS builds of 0.9.8 where a
> configuration setting can select FIPS or non-FIPS mode, loads the
> appropriate build and populates a  function table which is used by
> the code for OpenSSL functionality.
> We would like to update the non-FIPS build to a later version (e.g.
> 1.0.1) which has support for TLS 1.1/1.2 (etc.) which could then
> co-exist with the increasingly insecure but certified FIPS build in
> this way.
> Has anybody tried this?   Any gotchas come to mind?  E.g. does a
> canister need to be used for the non-FIPS?  Are there any major API
> changes between the two (besides APIs and/or parameter values which
> have been added or extended)?  Is this a crazy thing to do?
> Thanks in advance for any relevant comments! ... N

If I'm following here, you want to deploy something that uses OpenSSL
1.0.1 either with or without the FIPS module, as decided at runtime.
That's a common enough scenario: those customers who must use FIPS will
want that, all others either won't want or don't care about FIPS (some
of them very specifically won't want it, for understandable reasons).

You don't need two separate builds, a single build of one set of
libraries can be used for both purposes. We call that the "FIPS capable"
OpenSSL: build openssl 1.0.1 with the "fips" build time option in the
presence of a FIPS module. You wind up with the same libcrypto and
libssl libraries that you know and love. That one set of libraries can
be used for either purpose: use them without calling FIPS_mode_set() and
they behave like stock 1.0.1. Call FIPS_mode_set() to enable the FIPS
module of operation and your application will automatically be using the
embedded FIPS module (with
non-approved crypto operations disabled).

-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list