OpenSSL 3.0 FIPS module configuration file
Dr Paul Dale
pauli at openssl.org
Tue Feb 15 00:05:01 UTC 2022
Tom, thanks for looking this up. I believe that this particular piece
of guidance was removed in 140-3.
Pauli
On 15/2/22 10:57, Thomas Dwyer III wrote:
> I believe the relevant standard is described in the Implementation
> Guidance for FIPS 140-2:
> https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf
> (see IG 9.11 beginning on page 179). I searched briefly for similar
> text in FIPS 140-3 IG but didn't see anything relevant.
>
>
> Tom.III
>
>
> On Mon, Feb 14, 2022 at 3:31 PM Dr Paul Dale <pauli at openssl.org> wrote:
>
> Yes, this has to do with the FIPS standards. I forget which
> standard it is but the self tests are mandated to be run on each
> device independently.
>
> The fipsinstall process runs the self tests before generating the
> configuration file. If the self tests fail, the module doesn't
> install. Copying the configuration file across avoids the self
> tests and therefore isn't compliant.
>
>
> Pauli
>
>
> On 15/2/22 02:25, Richard Dymond wrote:
>> Hi
>>
>> Probably a dumb question, but why must the FIPS module
>> configuration file for OpenSSL 3.0 be generated on every machine
>> that it is to be used on (i.e. must not be copied from one
>> machine to another)?
>>
>> I just ran 'openssl fipsinstall' on two different machines with
>> the same FIPS module and it produced exactly the same output each
>> time, so presumably the reason has nothing to do with the config
>> file being unique to the machine.
>>
>> Does it have something to do with the FIPS standard itself?
>>
>> Richard
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220215/5914d0ac/attachment.htm>
More information about the openssl-users
mailing list