[SOLVED] Re: OpenSSL 3.0 hangs at exit with FIPS provider
Dr. Matthias St. Pierre
Matthias.St.Pierre at ncp-e.com
Sat Jul 18 08:06:31 UTC 2020
Thomas,
> I consider this a bug, of course, but at least now I know what's causing it and how to work around it.
thanks for sharing your analysis. Would you mind creating a GitHub issue for the hang?
https://github.com/openssl/openssl/issues
Matthias
From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Thomas Dwyer III
Sent: Friday, July 17, 2020 6:57 PM
To: openssl-users <openssl-users at openssl.org>
Subject: [SOLVED] Re: OpenSSL 3.0 hangs at exit with FIPS provider
It turns out the problem was caused by a misinterpretation of the phrase "add the following lines near the beginning" in section 7.1 of the documentation at https://wiki.openssl.org/index.php/OpenSSL_3.0 for enabling FIPS support. I added these lines to the very top of the file:
openssl_conf = openssl_init
.include /usr/local/ssl/fipsmodule.cnf
[openssl_init]
providers = provider_sect
[provider_sect]
fips = fips_sect
This caused the existing default section to now become part of the [provider_sect] section. Apparently any name=value line in that particular section where no [value] section exists causes OpenSSL to hang at exit when the FIPS provider is used. I consider this a bug, of course, but at least now I know what's causing it and how to work around it.
Regarding how to confirm which provider is actually providing a given algorithm, I found that EVP_MD_provider() returns NULL for any EVP_MD obtained via EVP_get_digestbyname() (even after it's used successfully by EVP_DigestInit_ex()) but it returns a valid OSSL_PROVIDER for any EVP_MD obtained via EVP_MD_fetch(). Is this intentional?
Tom.III
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200718/63bb186a/attachment-0001.html>
More information about the openssl-users
mailing list