[openssl-users] How to enable the FIPS mode of the OpenSSL FIPS modules by calling OPENSSL_Config() API?

security veteran security.veteran at gmail.com
Tue Sep 15 22:11:47 UTC 2015


>From the User Guide of OpenSSL FIPS Object Module v2.0, page 54, it
mentioned the FIPS mode can be initialized indirectly by indirect call vial
OPENSSL_config() API.

My question is, from where should we call this API?

If we use Apache and Python as examples, does that mean both of them need
to invoke OPENSSL_Config() in order to enable the FIPS mode?
And if that's the case, how do we make them invoke OPENSSL_Config() API?

Also regarding the openssl.cfg changes mentioned in the User Guide, what do
I need to replace the XXXX string?

Below are the config changes I made, does it look right to you?

Thanks for the helps and suggestions in advanced.

############# Below are my openssl.cfg ##############


HOME                    = .

RANDFILE                = $ENV::HOME/.rnd


# Extra OBJECT IDENTIFIER info:

#oid_file               = $ENV::HOME/.oid

oid_section             = new_oids


# To use this configuration file with the "-extfile" option of the

# "openssl x509" utility, name here the section containing the

# X.509v3 extensions to use:

# extensions            =

# (Alternatively, use a configuration file that has only

# X.509v3 extensions in its main [= default] section.)


XXXX_conf = XXXX_options


[ new_oids ]


# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.

# Add a simple OID like this:

# testoid1=1.2.3.4

# Or use config file substitution like this:

# testoid2=${testoid1}.5.6


# Policies used by the TSA examples.

tsa_policy1 = 1.2.3.4.1

tsa_policy2 = 1.2.3.4.5.6

tsa_policy3 = 1.2.3.4.5.7



[ XXXX_options ]

alg_section = algs


[ algs ]

fips_mode = yes


####################################################################

[ ca ]

default_ca      = CA_default            # The default ca section
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150915/709da441/attachment.html>


More information about the openssl-users mailing list