OpenSSL 3.0 FIPS module configuration file

Dr Paul Dale pauli at
Tue Feb 15 00:10:24 UTC 2022

There is nothing stopping cheating.

If you are going to cheat, why bother with FIPS at all?  Just claim 
you're FIPS.


On 15/2/22 10:49, Ma Ar wrote:
> Maybe a dumb question too, considering that i am admittedly just 
> getting into this field, but I though maybe if I ask I might learn 
> there any method of assurance that the test were then 
> run on the machine they are installed on?
> If whatever those tests are attesting to to certify compliance can be 
> falsified by copying over 1 file, what would even be to purpose of 
> those tests?
> Or are simply dependency checks?
> Thanks for all the effort it must take in answering all these 
> questions every day.
> On 2/14/2022 5:31 PM, Dr Paul Dale wrote:
>> Yes, this has to do with the FIPS standards.  I forget which standard 
>> it is but the self tests are mandated to be run on each device 
>> independently.
>> The fipsinstall process runs the self tests before generating the 
>> configuration file.  If the self tests fail, the module doesn't 
>> install.  Copying the configuration file across avoids the self tests 
>> and therefore isn't compliant.
>> Pauli
>> On 15/2/22 02:25, Richard Dymond wrote:
>>> Hi
>>> Probably a dumb question, but why must the FIPS module configuration 
>>> file for OpenSSL 3.0 be generated on every machine that it is to be 
>>> used on (i.e. must not be copied from one machine to another)?
>>> I just ran 'openssl fipsinstall' on two different machines with the 
>>> same FIPS module and it produced exactly the same output each time, 
>>> so presumably the reason has nothing to do with the config file 
>>> being unique to the machine.
>>> Does it have something to do with the FIPS standard itself?
>>> Richard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list