OpenSSL 3.0 FIPS module configuration file
Thomas Dwyer III
tomiii at tomiii.com
Mon Feb 14 23:57:51 UTC 2022
I believe the relevant standard is described in the Implementation Guidance
for FIPS 140-2:
https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf
(see IG 9.11 beginning on page 179). I searched briefly for similar text in
FIPS 140-3 IG but didn't see anything relevant.
Tom.III
On Mon, Feb 14, 2022 at 3:31 PM Dr Paul Dale <pauli at openssl.org> wrote:
> Yes, this has to do with the FIPS standards. I forget which standard it
> is but the self tests are mandated to be run on each device independently.
>
> The fipsinstall process runs the self tests before generating the
> configuration file. If the self tests fail, the module doesn't install.
> Copying the configuration file across avoids the self tests and therefore
> isn't compliant.
>
>
> Pauli
>
>
> On 15/2/22 02:25, Richard Dymond wrote:
>
> Hi
>
> Probably a dumb question, but why must the FIPS module configuration file
> for OpenSSL 3.0 be generated on every machine that it is to be used on
> (i.e. must not be copied from one machine to another)?
>
> I just ran 'openssl fipsinstall' on two different machines with the same
> FIPS module and it produced exactly the same output each time, so
> presumably the reason has nothing to do with the config file being unique
> to the machine.
>
> Does it have something to do with the FIPS standard itself?
>
> Richard
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220214/0c2139d2/attachment-0001.htm>
More information about the openssl-users
mailing list