Q. Is there an openssl command to print the the status of the fips enabled?

Jun Aruga jun.aruga at gmail.com
Thu Jul 27 14:50:28 UTC 2023


Hello openssl-users community,

I am curious to know if there is an `openssl` command to print the
status of the "default_properties = fips=yes" that is equivalent with
the C API `EVP_default_properties_is_fips_enabled` when running
OpenSSL with a FIPS OpenSSL configuration file below. Is there a
command for that?

```
$ cat openssl_fips.cnf
config_diagnostics = 1
openssl_conf = openssl_init

.include /home/jaruga/.local/openssl-3.2.0.dev-fips-debug-06a0d40322/ssl/fipsmodule.cnf

[openssl_init]
providers = provider_sect
alg_section = algorithm_sect

[provider_sect]
fips = fips_sect
base = base_sect

[base_sect]
activate = 1

[algorithm_sect]
default_properties = fips=yes
```

As a note, I found a command to print the list of the providers. That
is also important to know if the FIPS configuration is properly set.

```
$ OPENSSL_CONF=$(pwd)/openssl_fips.cnf \
  LD_LIBRARY_PATH=/home/jaruga/.local/openssl-3.2.0.dev-fips-debug-06a0d40322/lib
\
  /home/jaruga/.local/openssl-3.2.0.dev-fips-debug-06a0d40322/bin/openssl
list -providers
Providers:
  base
    name: OpenSSL Base Provider
    version: 3.2.0
    status: active
  fips
    name: OpenSSL FIPS Provider
    version: 3.2.0
    status: active
```

Thanks for your help!

Jun


More information about the openssl-users mailing list