Static OpenSSL 3 library with FIPS

Paul Spencer pspence at us.ibm.com
Fri Mar 25 20:59:33 UTC 2022


Thanks for the info.

You mean both libssl.a and libcrypto.a static, and then dynamically loaded fips.so, correct? Unfortunately that gets away from the single-binary-executable model and so is a somewhat major change.


-----Original Message-----
From: Matt Caswell <matt at openssl.org<mailto:Matt%20Caswell%20%3cmatt at openssl.org%3e>>
To: openssl-users at openssl.org<mailto:openssl-users at openssl.org>
Subject: [EXTERNAL] Re: Static OpenSSL 3 library with FIPS
Date: Fri, 25 Mar 2022 20:22:02 +0000



On 25/03/2022 18:33, Paul Spencer wrote:

Q: Is it possible to have a static (.a) OpenSSL 3 library with FIPS support?


This was possible with OpenSSL 1.0.2 and the FIPS 2.0.x module (and

special linking in the Makefile). However, with SSL3, if I go


Configure no-module enable-fips


then it silently disables FIPS. Is there any way to do this?



You can have a static libcrypto (.a) with a dynamically loaded FIPS

module (i.e. using fips.so).


Configure no-shared enable-fips


You cannot have a statically linked FIPS module. It was a day 1 design

decision that we would no longer support this.


Matt
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220325/52fd156d/attachment-0001.htm>


More information about the openssl-users mailing list