AES-cipher offload to engine in openssl-fips

Short, Todd tshort at
Wed Feb 27 11:53:36 UTC 2019


The OpenSSL FIPS Module is not written that way. It should not be permitting any non-FIPS implementations (see Rich's email regarding a bug).

You could write your own engine, get that FIPS certified, and run it with plain, vanilla OpenSSL.

There's a design spec out for OpenSSL 3.0.0 that may allow you to have your own FIPS provider, which, I believe, would be the closest thing to what you want. 

-Todd Short
// Sent from my iPhone
// "One if by land, two if by sea, three if by the Internet."

> On Feb 27, 2019, at 6:45 AM, suji <sujiknair at> wrote:
> Thanks for the reply.
> With non-fips openssl, it is possible to write my own fips-module. I
> understood. 
> But, is it possible for me to write a fips-compliant/fips validated "dynamic
> engine" with openssl-fips? Which allows me to offload "fips-compilant"
> functions to my engine "dynamically"? 
> --
> Sent from:

More information about the openssl-users mailing list