Need Help on OpenSSl 3.0.x and FIPS enablement
Dr Paul Dale
pauli at openssl.org
Tue Feb 28 22:04:11 UTC 2023
Have you read the relevant documentation? Specifically, the FIPS module
guide <https://www.openssl.org/docs/man3.0/man7/fips_module.html>, the
FIPS provider
<https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-FIPS.html> and
the migration guide
<https://www.openssl.org/docs/man3.0/man7/migration_guide.html>? These
answer most of your questions and can be easy to miss.
With the FIPS provider in OpenSSL 3.0 you will not be able to escape
having some configuration in a file. The FIPS provider does an
integrity check on start up and the correct checksum comes from
configuration.
As for running on different machines to the build one, the security
policy
<https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf>
is clear that the checksum configuration cannot be copied between machines:
/Note: The Module shall have the self-tests run, and the Module
config file output generated on each//platform where it is intended
to be used. The Module config file output data shall not be copied
from//one machine to another./
I'll note that following the build and installation instructions from in
the security policy
<https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf>
is necessary for a FIPS compliant provider.
Pauli
On 1/3/23 04:52, Prasad, PCRaghavendra via openssl-users wrote:
>
> Hi Team,
>
> Our team has started migrating from OpenSSL 1.0.2 to OpenSSL 3.0.x
> version.
>
> We are doing POC for the same on windows and Linux.
>
> We have a tight schedule to finish the migration by April 1^st week as
> we need to fix one critical BD issue and support TLS 1.3 feature as well.
>
> The team and I are going through multiple docs of OpenSSL 3.x and
> trying to figure out how to configure fips once we build the OpenSSL.
>
> Few things:
>
> * In openssl 3.0.x Fips module is installed/integrated by default
> (enable-fips) during the build step
> * Fipsmodule.cnf is present in the default location (c:\usr\local\ssl\)
> * After reading multiple ways on how to enable fips, one way is the
> config way where we need to change few params in openssl.cnf
> * By changing that and we did the test using openssl.exe ( sha1
> passed and md5 failed) all good
> * Now the challenge is we need to set the fips enablement
> programmatically which we were going through multiple docs
> (openssl and some forums)
> * Till now we used OpenSSL 1.0.2 where the fipsmodule is embedded in
> libcrypto and we need to set it at the beginning of the
> application (fips_mode_set()) and everything else is taken care by
> default.
> * Now with OpenSSL 3.0.x how to set that fips mode for the entire
> application is not very clear
> * Very where they are talking about the config files, our
> application is a standalone application that bundles all the
> required libs(crypto/SSL) and runs on its own, it will not refer
> to any system config/lib files
> * So our doubt is if we build on the application on build machine
> containing OpenSSL 3.0.x and create an artifact. We need to run on
> different machines.
> * In OpenSSL 3.0.x is there any hard dependency on the .cnf files
> should we carry them in our artifact and if so should we install
> them in the default path like ( C:\usr or /us/local) which we were
> not doing till now?
>
> Any input on this will be really helpful
>
> Thanks,
>
> Raghavendra
>
>
> Internal Use - Confidential
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230301/c51b6169/attachment-0001.htm>
More information about the openssl-users
mailing list