OpenSSL 3.0 FIPS module configuration file
Ma Ar
matsura787 at gmail.com
Mon Feb 14 23:49:28 UTC 2022
Maybe a dumb question too, considering that i am admittedly just getting
into this field, but I though maybe if I ask I might learn
something...is there any method of assurance that the test were then run
on the machine they are installed on?
If whatever those tests are attesting to to certify compliance can be
falsified by copying over 1 file, what would even be to purpose of those
tests?
Or are simply dependency checks?
Thanks for all the effort it must take in answering all these questions
every day.
On 2/14/2022 5:31 PM, Dr Paul Dale wrote:
> Yes, this has to do with the FIPS standards. I forget which standard
> it is but the self tests are mandated to be run on each device
> independently.
>
> The fipsinstall process runs the self tests before generating the
> configuration file. If the self tests fail, the module doesn't
> install. Copying the configuration file across avoids the self tests
> and therefore isn't compliant.
>
>
> Pauli
>
>
> On 15/2/22 02:25, Richard Dymond wrote:
>> Hi
>>
>> Probably a dumb question, but why must the FIPS module configuration
>> file for OpenSSL 3.0 be generated on every machine that it is to be
>> used on (i.e. must not be copied from one machine to another)?
>>
>> I just ran 'openssl fipsinstall' on two different machines with the
>> same FIPS module and it produced exactly the same output each time,
>> so presumably the reason has nothing to do with the config file being
>> unique to the machine.
>>
>> Does it have something to do with the FIPS standard itself?
>>
>> Richard
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220214/2abcf537/attachment.htm>
More information about the openssl-users
mailing list