[SOLVED] Re: OpenSSL 3.0 hangs at exit with FIPS provider
Thomas Dwyer III
tomiii at tomiii.com
Mon Jul 20 17:47:57 UTC 2020
I just created https://github.com/openssl/openssl/issues/12496 for this.
Regards,
Tom.III
On Sat, Jul 18, 2020 at 1:06 AM Dr. Matthias St. Pierre <
Matthias.St.Pierre at ncp-e.com> wrote:
> Thomas,
>
>
>
> > I consider this a bug, of course, but at least now I know what's causing
> it and how to work around it.
>
>
>
> thanks for sharing your analysis. Would you mind creating a GitHub issue
> for the hang?
>
>
>
> https://github.com/openssl/openssl/issues
>
>
>
> Matthias
>
>
>
>
>
>
>
> *[image: NCP engingeering GmbH]* *Dr. Matthias St. Pierre*
>
> Senior Software Engineer
> matthias.st.pierre at ncp-e.com
> Phone: +49 911 9968-0
> www.ncp-e.com
>
>
> * Follow us on:* Facebook <https://www.facebook.com/NCPengineering> |
> Twitter <https://twitter.com/NCP_engineering> | Xing
> <https://www.xing.com/companies/ncpengineeringgmbh> | YouTube
> <https://www.youtube.com/user/NCPengineeringGmbH> | LinkedIn
> <http://www.linkedin.com/company/ncp-engineering-inc.?trk=cws-cpw-coname-0-0>
>
> *Headquarters Germany: *NCP engineering GmbH • Dombuehler Str. 2 • 90449
> • Nuremberg
> *North American HQ:* NCP engineering Inc. • 601 Cleveland Str., Suite
> 501-25 • Clearwater, FL 33755
>
> Authorized representatives: Peter Soell, Patrick Oliver Graf, Beate
> Dietrich
> Registry Court: Lower District Court of Nuremberg
> Commercial register No.: HRB 7786 Nuremberg, VAT identification No.: DE
> 133557619
>
> This e-mail message including any attachments is for the sole use of the
> intended recipient(s) and may contain privileged or confidential
> information. Any unauthorized review, use, disclosure or distribution is
> prohibited. If you are not the intended recipient, please immediately
> contact the sender by reply e-mail and delete the original message and
> destroy all copies thereof.
>
> <https://www.ncp-e.com/de/aktuelles/events/veranstaltungen>
> <https://www.ncp-e.com/de/aktuelles/events/veranstaltungen>
>
> *From:* openssl-users <openssl-users-bounces at openssl.org> *On Behalf Of *Thomas
> Dwyer III
> *Sent:* Friday, July 17, 2020 6:57 PM
> *To:* openssl-users <openssl-users at openssl.org>
> *Subject:* [SOLVED] Re: OpenSSL 3.0 hangs at exit with FIPS provider
>
>
>
> It turns out the problem was caused by a misinterpretation of the phrase
> "add the following lines near the beginning" in section 7.1 of the
> documentation at https://wiki.openssl.org/index.php/OpenSSL_3.0 for
> enabling FIPS support. I added these lines to the very top of the file:
>
>
>
> openssl_conf = openssl_init
>
>
>
> .include /usr/local/ssl/fipsmodule.cnf
>
>
>
> [openssl_init]
>
> providers = provider_sect
>
>
>
> [provider_sect]
>
> fips = fips_sect
>
>
>
> This caused the existing default section to now become part of the
> [provider_sect] section. Apparently any name=value line in that particular
> section where no [value] section exists causes OpenSSL to hang at exit when
> the FIPS provider is used. I consider this a bug, of course, but at least
> now I know what's causing it and how to work around it.
>
>
>
> Regarding how to confirm which provider is actually providing a given
> algorithm, I found that EVP_MD_provider() returns NULL for any EVP_MD
> obtained via EVP_get_digestbyname() (even after it's used successfully by
> EVP_DigestInit_ex()) but it returns a valid OSSL_PROVIDER for any EVP_MD
> obtained via EVP_MD_fetch(). Is this intentional?
>
>
>
>
>
> Tom.III
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200720/208c8a32/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NCP_logo_2f45208a-c14d-4000-bcd3-1ab400c0e48c.gif
Type: image/gif
Size: 2815 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200720/208c8a32/attachment.gif>
More information about the openssl-users
mailing list