FIPS canister questions

Tomas Mraz tm at
Tue Aug 18 18:05:38 UTC 2020

there is no way to do that. The CentOS OpenSSL build does not allow using the upstream Fips object module.
In theory you could replace the CentOS openssl library with upstream 1.0.2 library built in way that it allows using the fipscanister.o however it would require non-trivial patching of the upstream OpenSSL 1.0.2 code to make it compatible with the rest of the system.

⁣Tomáš​ Mráz

18. 8. 2020 19:51, 19:51, Swapna Pinnamaraju <swapna at> napsal/a:
>Hi everyone.
>We are running CentOS 7.8 and the OpenSSL that comes with it, 'OpenSSL
>1.0.2k-fips'. We have built the latest FOM 2.0 and now we want to
>incorporate the output of the FOM build into our CentOS 7.8 system. So
>we have two questions.
>1.  How do we install the output of the FOM build (fipscanister.o et
>al) on the CentOS system such that the existing OpenSSL will start
>using the new canister?
>1.  How do we verify that libcrypto is indeed using the new
>Thanks in advance.
>Swapna Pinnamaraju | Sr. Staff Software Engineer
>Gigamon |<>
>Address:  3300 Olcott Street, Santa Clara CA 95054
>This message may contain confidential and privileged information. If it
>has been sent to you in error, please reply to advise the sender of the
>error and then immediately delete it. If you are not the intended
>recipient, do not read, copy, disclose or otherwise use this message.
>The sender disclaims any liability for such unauthorized use. NOTE that
>all incoming emails sent to Gigamon email accounts will be archived and
>may be scanned by us and/or by external service providers to detect and
>prevent threats to our systems, investigate illegal or inappropriate
>behavior, and/or eliminate unsolicited promotional emails ("spam").

More information about the openssl-users mailing list