OpenSSL 3.0 FIPS module configuration file

Tomas Mraz tomas at
Tue Feb 15 13:53:03 UTC 2022

Please note that there are two checksums in the configuration file. One
of them is the FIPS module checksum and the other is the checksum of
the configuration. You can copy the file across machines if it is
without the configuration checksum - that means the selftest will be
always run when the FIPS module (i.e., the fips provider) is loaded. 

You cannot copy the file if the configuration checksum is present in it
though because that means the selftest won't be run on the machines
where you copy the configuration file to. That would be against the
FIPS implementation guidance that requires to run the selftests at
least once after the installation.


On Tue, 2022-02-15 at 10:31 +1100, Dr Paul Dale wrote:
>  Yes, this has to do with the FIPS standards.  I forget which
> standard
> it is but the self tests are mandated to be run on each device
> independently.
>  The fipsinstall process runs the self tests before generating the
> configuration file.  If the self tests fail, the module doesn't
> install.  Copying the configuration file across avoids the self tests
> and therefore isn't compliant.
>  Pauli
> On 15/2/22 02:25, Richard Dymond wrote:
> >  
> > Hi
> > 
> > Probably a dumb question, but why must the FIPS module
> > configuration file for OpenSSL 3.0 be generated on every machine
> > that it is to be used on (i.e. must not be copied from one machine
> > to another)?
> > 
> > I just ran 'openssl fipsinstall' on two different machines with the
> > same FIPS module and it produced exactly the same output each time,
> > so presumably the reason has nothing to do with the config file
> > being unique to the machine.
> > 
> > Does it have something to do with the FIPS standard itself?
> > 
> > Richard

Tomáš Mráz, OpenSSL

More information about the openssl-users mailing list