[openssl-users] Help needed on FIPS error 0409A09E:lib(4):func(154):reason(158).

Tom Francis thomas.francis.jr at pobox.com
Thu Sep 10 14:44:37 UTC 2015 

> On Sep 10, 2015, at 8:44 AM, Jayalakshmi bhat <bhat.jayalakshmi at gmail.com> wrote:
> 
> Hello all,
> 
> I have a question on FIPS. We have OpenSSL FIPS module integrated with our product. We have an option to enable/disable FIPS at run time.  We are executing the following openSSL API's every time when FIPS status changes.

Typically, this is not allowed; you must restart your application in order to switch in or out of FIPS approved mode.  Your customer’s auditor (or your auditor) may believe differently, but my former employer had auditors make it very clear that an application must never switch into or out of FIPS approved mode without restarting the application (and most of the auditors wanted us to require the user to reboot their entire system to make the switch; fortunately they were willing to allow the application with just an extra note recommending the user reboot after modifying the setting).  

> {
> 	We have mapped OpenSSL crypto locks to mutex intenally. Hence we delete it and create it every time when FIPS status changes.
> 	ERR_free_strings()
> 	ERR_remove_state(0);
> 	EVP_cleanup();	
> 	SSL_library_init()
> 	SSLeay_add_all_algorithms()
> }
> 
> Without executing this we are hitting the error, error:0409A09E:lib(4):func(154):reason(158). I wanted to know if our approach is correct?

IIRC you should be able to switch in and out of FIPS appoved mode by simply calling FIPS_mode_set() with the appropriate argument.  I know this worked with the FIPS 1.2 module, but I never bothered to try it with the 2.0 module (see above about allowed uses).  I wouldn’t recommend trying to uninitialize and re-initialize OpenSSL, though — while probably safe, it seems like a bad idea.  If this is a long-running program that can do multiple things at a time, it’s definitely a bad idea to allow a toggle like that — someone might’ve started a task, then turned on FIPS approved mode — if the task hasn’t done anything with OpenSSL yet, it’ll probably be done with FIPS approved mode, but was that the user’s intent?  I’d recommend that when a user changes the setting, you store the setting and inform the user that the new setting will take affect only after restarting the application.

I really doubt you’ll be allowed to switch FIPS approved mode on and off with just a simple toggle (even if it works technically).


> Regards
> Jayalakshmi
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list