[openssl-users] Does OpenSSL FIPS modules only affect libcrypto.so

Steve Marquess marquess at openssl.com
Tue Jan 19 14:44:49 UTC 2016

On 01/19/2016 04:33 AM, security veteran wrote:
> Hi,
> I am trying to build a system with both the non-FIPS OpenSSL and the
> OpenSSL with FIPS modules, and was wondering does OpenSSL FIPS modules
> actually only affect libcrypto.so?

Yes and no.

The "FIPS enabled" OpenSSL consists of OpenSSL 1.0.N built with the
"fips" option, in the presence of an OpenSSL FIPS module. That module
(which is basically the fipscanister.o file) is embedded within the
libcrypto shared library.

If you don't enable FIPS mode (no FIPS_mode_set() call) then that
libcrypto behaves just like the usual libcrypto from a non-FIPS enabled
OpenSSL build; the FIPS module is just dead weight.

But once you enable FIPS mode then the cryptographic operations that are
not allowed by FIPS 140-2 (which is many of the algorithms supported by
OpenSSL) are automagically disabled. Those cryptographic operations
which are allowed are routed to the FIPS module.  Note that those
separate crypto implementations in the FIPS module will always
necessarily be "behind" the ones on OpenSSL proper (in terms of
performance, security, general robustness).

Note we designed the "FIPS enabled" mechanism just so that vendors would
not need to ship two different sets of binaries to their customers who
do and don't care about FIPS 140-2. Ship the "FIPS enabled" OpenSSL
libraries to all your customers, and those who don't explicitly enable
FIPS mode won't see the FIPS part.

-Steve M.

Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list