[openssl-users] FIPS mode on Windows

Hubert Kario hkario at redhat.com
Fri Sep 7 16:42:24 UTC 2018


On Friday, 7 September 2018 16:18:48 CEST Alessandro Gherardi wrote:
>  Thank you for your reply.
> Looking at the OpenSSL FIPS Security
> Policy https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-valid
> ation-program/documents/security-policies/140sp1747.pdf, I see the following
> statement:
> "The Module requires an initialization sequence (see IG 9.5): the calling a
> pplication invokes
> FIPS_mode_set(), which returns a “1” for success and “0” for failure.  If F
> IPS_mode_set()
> fails then all cryptographic services fail from then on.  The application c
> an test to see if FIPS  mode has been successfully performed." Therefore,
> for OpenSSL to switch to FIPS mode, it is required that the application
> call FIPS_mode_set(1). Can you please confirm that my understanding is now
> correct?

If you are using that specific openssl module, then yes, you have to manually 
call FIPS_mode_set() from application code.

But please note that's not the only openssl FIPS module in existence, and 
other modules may behave differently (I know that some not only _may_ , but 
_will_ behave differently).

Sorry for being vague, but you have not provided any information what versions 
you are actually running, on what versions of OS, how you acquired them, etc. 
All of which has quite significant impact on FIPS-worthiness of any particular 
module. Also, to make matters worse (more confusing), software package version 
is not the same thing as FIPS module version.
-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180907/d844ab48/attachment-0001.sig>


More information about the openssl-users mailing list