[openssl-users] Help needed on FIPS error 0409A09E:lib(4):func(154):reason(158).

Jayalakshmi bhat bhat.jayalakshmi at gmail.com
Fri Sep 11 05:54:06 UTC 2015

Hi Tom,

Thanks  a lot for clarifying the doubt.


On Thu, Sep 10, 2015 at 8:44 AM, Tom Francis <thomas.francis.jr at pobox.com>

> > On Sep 10, 2015, at 8:44 AM, Jayalakshmi bhat <
> bhat.jayalakshmi at gmail.com> wrote:
> >
> > Hello all,
> >
> > I have a question on FIPS. We have OpenSSL FIPS module integrated with
> our product. We have an option to enable/disable FIPS at run time.  We are
> executing the following openSSL API's every time when FIPS status changes.
> Typically, this is not allowed; you must restart your application in order
> to switch in or out of FIPS approved mode.  Your customer’s auditor (or
> your auditor) may believe differently, but my former employer had auditors
> make it very clear that an application must never switch into or out of
> FIPS approved mode without restarting the application (and most of the
> auditors wanted us to require the user to reboot their entire system to
> make the switch; fortunately they were willing to allow the application
> with just an extra note recommending the user reboot after modifying the
> setting).
> > {
> >       We have mapped OpenSSL crypto locks to mutex intenally. Hence we
> delete it and create it every time when FIPS status changes.
> >       ERR_free_strings()
> >       ERR_remove_state(0);
> >       EVP_cleanup();
> >       SSL_library_init()
> >       SSLeay_add_all_algorithms()
> > }
> >
> > Without executing this we are hitting the error,
> error:0409A09E:lib(4):func(154):reason(158). I wanted to know if our
> approach is correct?
> IIRC you should be able to switch in and out of FIPS appoved mode by
> simply calling FIPS_mode_set() with the appropriate argument.  I know this
> worked with the FIPS 1.2 module, but I never bothered to try it with the
> 2.0 module (see above about allowed uses).  I wouldn’t recommend trying to
> uninitialize and re-initialize OpenSSL, though — while probably safe, it
> seems like a bad idea.  If this is a long-running program that can do
> multiple things at a time, it’s definitely a bad idea to allow a toggle
> like that — someone might’ve started a task, then turned on FIPS approved
> mode — if the task hasn’t done anything with OpenSSL yet, it’ll probably be
> done with FIPS approved mode, but was that the user’s intent?  I’d
> recommend that when a user changes the setting, you store the setting and
> inform the user that the new setting will take affect only after restarting
> the application.
> I really doubt you’ll be allowed to switch FIPS approved mode on and off
> with just a simple toggle (even if it works technically).
> > Regards
> > Jayalakshmi
> > _______________________________________________
> > openssl-users mailing list
> > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150910/7157a08c/attachment-0001.html>

More information about the openssl-users mailing list