[openssl-users] Question about Openssl FIPS module and Python-openssl
security.veteran at gmail.com
Mon Sep 14 21:08:17 UTC 2015
In that case it may be more complicated to invoke the *FIPS_mode_set
*API from the Python layer. Is there anyway to make the FIPS mode
always enabled by default in the library layer, so that there's no
need to invoke the FIPS_mode_set API?
Your first question should be presented to the Python developers that
provide support for OpenSSL. They would be the user of the OpenSSL
API. I'm not a Python expert, but somewhere they would have a native
layer that leverages the OpenSSL API. This native layer code would need
to invoke FIPS_mode_set(). The question is whether our not they expose
a knob to the Python user layer to enable/disable FIPS. Maybe someone
on this mailer happens to know the answer. If not, reach out to the
Python developer community.
Regarding your second question, FIPS_mode_set() needs to be invoked once
within each process space. Therefore, if your Python code was all
running in a single process space, then you'd only need to invoke it
once. But if you're spawning multiple processes, then you'll need to
invoke it whenever a new process was created.
On 09/14/2015 03:51 PM, security veteran wrote:
*>>* I've built an openssl library with the FIPS objects modules, and I was
*>* testing the new lib files by replacing the original library files such
*>* as libcrypto.so with the new ones.
*>>* From the FIPS user guide I understand that any applications which need
*>* to use the OpenSSL FIPS modules will need to run the API FIPS_mode_set
*>* to enable the FIPS mode.
*>>* My question is, for the applications/ libraries like Python-openssl
*>* which depends on the openssl libraries, how do I make the
*>* Python-openssl module to run the FIPS_mode_set API, in order to
*>* initialize/enable FIPS mode?
*>>* Also, does the FIPS_mode_set API only need to be run once by one of
*>* the applications/ libraries which use OpenSSL?
*>>* Thanks for your helps!
*>* openssl-users mailing list
*>* To unsubscribe:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the openssl-users