Questions re building/using OpenSSL 3 with FIPS

Vivek V vivek+openssl at vera.com
Thu Jun 15 12:55:07 UTC 2023 

Hello,

We are in the process of building and deploying OpenSSL with the FIPS
module. We want to make sure we are doing it the right way, and have a few
questions:

**Config file**

Are there any stipulations on the contents of the config file? Our
preferred plan is to have a minimal openssl.cnf file, with following
contents, that in turn references the fips config file:

  openssl.cnf:
    config_diagnostics = 1
    openssl_conf = openssl_init

    .include = fipsmodule.cnf

    [openssl_init]
    providers = provider_sect

    [provider_sect]
    base = base_sect
    fips = fips_sect

    [base_sect]
    activate = 1

  fipsmodule.cnf:
    [fips_sect]
    activate = 1
    install-version = 1
    conditional-errors = 1
    security-checks = 1
    module-mac = <module-mac>
    install-mac = <install-mac>
    install-status = INSTALL_SELF_TEST_KATS_RUN

An alternate plan for the config file is to merge both of the above into a
single config file, and load it.

Any concerns with either of the above options?

**FIPS self-tests**
>From the docs, I see two alternatives to do the FIPS self-tests: (i) Doing
"make install_fips" on each instance, or (ii) Running the openssl tool with
fipsinstall option.

The former is not feasible for us since we cannot/don't want to build
openssl on each endpoint. Which leaves the latter ("openssl fipsinstall")
as the only feasible option.

Is this understanding correct? And in particular, "openssl fipsinstall" is
an acceptable choice to do the fips self-tests, correct?

**Building different openssl assets at different versions**
We obviously want to use the fips module fully complying with its
certification. In particular, we will be building the fips module off
OpenSSL 3.0.8.

There are a few other assets we require: the static libcrypto and libssl
libs, and the openssl tool. We plan to build these off the latest 3.0.x
release, which happens to be 3.0.9 currently. This is so as to benefit from
any fixes that are in the latest version.

Is the above fine? ie building the static libcrypto and libssl libs and the
openssl tool (and any other non-fips assets) off 3.0.9, and using them in
conjunction with the 3.0.8 fips provider?

Thanks
-Vivek
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230615/5295a5a4/attachment.htm>

More information about the openssl-users mailing list