[openssl-users] openssl_ciphers in wpa_supplicant.conf

Viktor Dukhovni openssl-users at dukhovni.org
Wed May 6 04:58:39 UTC 2015

On Tue, May 05, 2015 at 04:06:38PM -0500, xxiao8 wrote:

> I'm trying to make wpa_supplicant fips-safe and one step is to set up:

The phrase "fips-safe" is a rather odd choice.  I think you mean
something along the lines of "FIPS compliant".  For that you'd need
to use a FIPS-capable OpenSSL release and arrange to enable "FIPS

> #openssl_ciphers=DEFAULT:!EXP:!LOW
> (based on http://w1.fi/cgit/hostap/plain/wpa_supplicant/wpa_supplicant.conf)

In FIPS mode, openssl should automatically disable non-compliant

> Is there a way somehow to set up a FIPS suite for openssl_ciphers,something
> like:
> openssl_ciphers=FIPS?

To comply with FIPS, you need to enable FIPS mode, customizing
cipher lists does not do that.  On page 23, and in section 5.2 of:


you'll learn that setting the environment variable OPENSSL_FIPS=1
turns on FIPS mode in a FIPS-capable OpenSSL.  Alternatively, the
application can call FIPS_mode_set(), or use OpenSSL_config() with
a suitable configuration file and choice of "section" name.


More information about the openssl-users mailing list