command 'openssl ciphers -v -provider fips' shows not complain algorithms

Jan Lana jan.lana at oracle.com
Wed Jan 26 11:27:36 UTC 2022


Hi,

When I run 

   openssl ciphers -v -provider fips | grep TLS_CHACHA20_POLY1305_SHA256

it shows this non complain cipher is available. To add '-propquery 
fips=yes' argument does not help. IMHO it is not correct behavior.


I have the default and fips providers enabled in openssl.cnf:

   openssl_conf = openssl_init

   .include /usr/local/ssl/fipsmodule.cnf

   [openssl_init]
   providers = provider_sect

   [provider_sect]
   fips = fips_sect
   default = default_sect

   [default_sect]
   activate = 1


For testing I use docker.io/salrashid123/openssl:fips image with 
modified /usr/local/ssl/openssl.cnf.

When I add 'alg_section = algorithm_sect' to [openssl_init] section 
defined as follows:

   [algorithm_sect]
   default_properties = fips=yes

the command 'openssl cipher -v' shows just fips compliant ciphers.

I found it when I try to build stunnel 5.62 and one of their test fails.  
The test uses OSSL_PROVIDER_load() to load fips provider and then set 
ciphersuite to TLS_CHACHA20_POLY1305_SHA256.  Expected results is that 
there is no complain cipher.
(https://github.com/mtrojnar/stunnel/blob/178822afdefb0798fb937f6b5f43b47c5ab77613/tests/plugins/p11_fips_cipher.py#L78)

Thanks in advance,
- jenda


More information about the openssl-users mailing list