[openssl-users] How to enable FIPS mode by default of the OpenSSL FIPS modules

Steve Marquess marquess at openssl.com
Mon Sep 14 23:59:34 UTC 2015

On 09/14/2015 05:21 PM, security veteran wrote:
> I asked this question from a different thread, but thought it may be the
> best to start a new thread to discuss this question since it sounds like
> a big deal to me.
> I've built an openssl library with the FIPS objects modules, and I was
> testing the new lib files by replacing the original library files such
> as libcrypto.so with the new ones.
> From the FIPS user guide I understand that any applications which need
> to use the OpenSSL FIPS modules will need to run the API FIPS_mode_set
> to enable the FIPS mode.
> This sounds like a big issue to me: there are may other libraries/ services which depends on OpenSSL. For example, Python, Apache, PostgreSQL, etc.
> If the /FIPS_mode_set /API needs to be invoked in order to enable the
> FIPS mode, how can we make third party library/ services like Python and
> Apache to invoke this API?
> Is there any other way to make the FIPS mode always enabled?

Well ... yes and no. It depends.

The OpenSSL FIPS module User Guide
(https://openssl.org/docs/fips/UserGuide-2.0.pdf) discusses use of the
OPENSSL_Config() call and the global openssl.conf configuration file. In
theory you could toggle FIPS mode for all the applications on a system
with in one swell foop.

In practice it's not that easy, because when you enable FIPS mode you
also automatically disable use of all "non-allowed" cryptography. Many
applications not specifically written to accommodate the restrictions of
FIPS module may not behave gracefully. Some (OpenSSH for instance)
require extensive hacks for FIPS mode.

Apache httpd does have native FIPS support, but you'll need to invoke
the right buildtime and runtime options; the typical httpd binary
install won't have FIPS support.

-Steve M.

Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at opensslfoundation.com
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list