openssl fipsinstall

Thomas Dwyer III tomiii at
Mon Jul 27 20:19:08 UTC 2020

Hi all,

I'm replacing OpenSSL 1.0.2 with OpenSSL 3.0 in an embedded environment
with very limited flash space. We need and use libcrypto and libssl but we
have no need for the openssl binary. To date it was never necessary to ship
this utility in our product. Now with OpenSSL 3.0 it appears the only way
to get FIPS support is to run "openssl fipsinstall ..." to create a FIPS
config file to be included by the main config file. However, at nearly 1MB
in size this binary is prohibitively large.

I am able to reproduce the output of "openssl fipsinstall ..." with a
(considerably smaller) standalone tool that links with libcrypto and
generates HMAC-SHA256 (using FIPS_KEY_STRING from fipskey.h) but I'm
unclear on what the actual FIPS requirements are for this. Would I still be
considered FIPS compliant if I use my own standalone tool instead of the
openssl binary to generate the FIPS config? I presume I don't need to
bother with the self-test callback and that it only matters whether or not
OSSL_PROVIDER_load(NULL, "fips") succeeds?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list