[openssl-users] new FIPS module

Steve Marquess marquess at openssl.com
Thu Sep 29 20:08:32 UTC 2016

On 09/29/2016 12:40 PM, Troy Smoke wrote:
> I am in the position of evaluating products that have (or claim to have)
> implemented the OpenSSL FIPS module.
> I would like to be able to be able to run a command or run the FIPS
> self-test on command, for the purpose of verifying if OpenSSL is
> operating in FIPS mode. 
> ...

Keep in mind that "OpenSSL" itself doesn't "operate in FIPS mode".
OpenSSL is a set of shared libraries which may be instantiated different
ways by different calling applications. Application A may enable FIPS
mode while application B referencing the same shared libraries doesn't.
"OpenSSL" itself is never "operating in FIPS mode" independently of any
applications; the term is meaningful only in the context of a specific

A related question is "Does this OpenSSL install support use of the FIPS
module"? We call OpenSSL built that way a "FIPS capable" OpenSSL;
"capable" because calling applications can elect to enable FIPS mode (or

To see if a specific install of OpenSSL 1.0.1/1.0.2 was built as FIPS
capable, you can run the command (application):

  OPENSSL_FIPS=1 openssl md5 < /dev/null

It will throw errors if the "openssl" command is from a FIPS capable
OpenSSL; either for a self test failure (unlikely) or because of the
disallowed algorithm. If not from a FIPS capable OpenSSL you just see
the message "FIPS mode not supported."

Note that tells you nothing about whether another application has
enabled FIPS mode, though. For that you need to look under the hood of
that application (i.e. ask the vendor).

-Steve M.

Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list