OpenSSL 3.0 FIPS questions

Dr Paul Dale pauli at openssl.org
Mon Oct 25 21:37:14 UTC 2021 

It was meant for the second method only.  The first method is using 
different library contexts to distinguish FIPS algorithms.  Using the 
properties in addition is harmless and might prevent a future mistake 
that breaks compliance.

Pauli

On 26/10/21 4:46 am, Jason Schultz wrote:
> Thanks again. I think most of that makes sense. Going back to your 
> initial response, there is something I'm not clear on.
>
> The second method you explained (which I don't plan to use) starting 
> with "Alternatively,..." included the calls to OSSL_PRIVIDER_load(), 
> and then discussed calling the following API for FIPS:
>     EVP_set_default_properties(NULL, “fips=yes”);
>
> Was the EVP_set_default_properties() call specifically and only for 
> the 2nd method, or did that API call apply to both the first and 
> second methods you explained? From reading the doc for that call, it 
> seems like I should be doing it if I use the first method as well.
>
> Regards,
>
> Jason
>
> ------------------------------------------------------------------------
> *From:* openssl-users <openssl-users-bounces at openssl.org> on behalf of 
> Dr Paul Dale <pauli at openssl.org>
> *Sent:* Sunday, October 24, 2021 11:12 PM
> *To:* openssl-users at openssl.org <openssl-users at openssl.org>
> *Subject:* Re: OpenSSL 3.0 FIPS questions
> The configuration shouldn't have much impact.  You will need a fips 
> section specifying where the integrity check data are.  You shouldn't 
> need base or default sections.
>
>
> Pauli
>
> On 25/10/21 5:23 am, Jason Schultz wrote:
>> Thank you for your response. I think all of that makes sense, and 
>> seems to accomplish what I want programmatically, limiting it to my 
>> application. I guess the only question I have is what about the 
>> config files? Should they remain as they were installed, or do I need 
>> to provide sections for fips, base, default, etc?
>>
>> Regards,
>>
>> Jason
>>
>>
>> ------------------------------------------------------------------------
>> *From:* openssl-users <openssl-users-bounces at openssl.org> 
>> <mailto:openssl-users-bounces at openssl.org> on behalf of Dr Paul Dale 
>> <pauli at openssl.org> <mailto:pauli at openssl.org>
>> *Sent:* Sunday, October 24, 2021 12:28 AM
>> *To:* openssl-users at openssl.org <mailto:openssl-users at openssl.org> 
>> <openssl-users at openssl.org> <mailto:openssl-users at openssl.org>
>> *Subject:* Re: OpenSSL 3.0 FIPS questions
>> Oops, the second time this occurs "defp = 
>> OSSL_PROVIDER_load(non_fips_libctx, "default");" it should be "defp = 
>> OSSL_PROVIDER_load(NULL, "default");"
>>
>>
>> Pauli
>>
>> On 24/10/21 10:06 am, Dr Paul Dale wrote:
>>> defp = OSSL_PROVIDER_load(non_fips_libctx, "default");
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20211026/c5c109eb/attachment.html>

More information about the openssl-users mailing list