[openssl-users] Difference in the methods for listing the FIPS ciphers

Dr. Stephen Henson steve at openssl.org
Sun Jan 10 01:24:52 UTC 2016

On Fri, Jan 08, 2016, jonetsu wrote:

> Hello,
> Using 1.0.1e running FIPS module 2.0.9, the following two
> commands for querying the ciphers do not yield the same results.
> There are more ciphers declared in the 'string' version.
> The 'environment variable' version:
> % OPENSSL_FIPS=1 openssl ciphers -v |
> The 'string' version:
> % openssl ciphers -v 'FIPS'
> In the 'string' version only:
> Is the 'environment variable' usage broken ?

No: the two are not equivalent.

The environment variable version lists the default ciphers with the non-FIPS
ciphers filtered out.

When you specify FIPS as the cipher string it specifies all ciphers which can
be used in FIPS mode including those not in the default list.

Specifically the default cipher string omits anonymous cipher suites.

If you do:

OPENSSL_FIPS=1 openssl ciphers -v ALL

you should get the same result as the FIPS cipher string.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list