Need Help on OpenSSl 3.0.x and FIPS enablement

Prasad, PCRaghavendra Pcraghavendra.Prasad at dell.com
Thu Mar 2 08:34:56 UTC 2023


Hi Paul,

Thanks for the information.

We will go through the documents once again for more understanding.

One basic doubt is when we deploy/build OpenSSL on our build machine with FIPS enabled (enable_fips) which will generate fips.dll/so and fipsmodule.cnf.
We then change the openssl.cnf to access the fipsmodule.cnf and enable fips on the build machine and execute the application or do it programmatically to load the fips module and run the application.

As for running on different machines to the build one, the security policy [csrc.nist.gov]<https://urldefense.com/v3/__https:/csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf__;!!LpKI!m6MpgYacWH24YdMndJMC-_RMlzLmjAHdaRHojogd7dgY9kbo0NUvc9yknt1Y_6gxdXxScH71o77lFX7ijN_GHg$> is clear that the checksum configuration cannot be copied between machines:

  *   But we carry libssl.so and libcrypto.so in our build artifacts till now and activate the fips at run time in our application (OpenSSL 1.0.2 FIPS)  on different machines (customer machines) as we are embedded software, so how it can be achieved using OpenSSL 3.0.x + FIPS versions? how can we achieve FIPS on different machines but built on one machine? Is it possible

Can you please throw some input on this?

Thanks,
Ragahvendra


From: openssl-users <openssl-users-bounces at openssl.org> On Behalf Of Dr Paul Dale
Sent: Wednesday, March 1, 2023 3:34 AM
To: openssl-users at openssl.org
Subject: Re: Need Help on OpenSSl 3.0.x and FIPS enablement


[EXTERNAL EMAIL]
Have you read the relevant documentation?  Specifically, the FIPS module guide [openssl.org]<https://urldefense.com/v3/__https:/www.openssl.org/docs/man3.0/man7/fips_module.html__;!!LpKI!m6MpgYacWH24YdMndJMC-_RMlzLmjAHdaRHojogd7dgY9kbo0NUvc9yknt1Y_6gxdXxScH71o77lFX4qN9JYmA$>, the FIPS provider [openssl.org]<https://urldefense.com/v3/__https:/www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-FIPS.html__;!!LpKI!m6MpgYacWH24YdMndJMC-_RMlzLmjAHdaRHojogd7dgY9kbo0NUvc9yknt1Y_6gxdXxScH71o77lFX7hLE-Nwg$> and the migration guide [openssl.org]<https://urldefense.com/v3/__https:/www.openssl.org/docs/man3.0/man7/migration_guide.html__;!!LpKI!m6MpgYacWH24YdMndJMC-_RMlzLmjAHdaRHojogd7dgY9kbo0NUvc9yknt1Y_6gxdXxScH71o77lFX4Csj3-Tw$>?  These answer most of your questions and can be easy to miss.

With the FIPS provider in OpenSSL 3.0 you will not be able to escape having some configuration in a file.  The FIPS provider does an integrity check on start up and the correct checksum comes from configuration.

As for running on different machines to the build one, the security policy [csrc.nist.gov]<https://urldefense.com/v3/__https:/csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf__;!!LpKI!m6MpgYacWH24YdMndJMC-_RMlzLmjAHdaRHojogd7dgY9kbo0NUvc9yknt1Y_6gxdXxScH71o77lFX7ijN_GHg$> is clear that the checksum configuration cannot be copied between machines:
Note: The Module shall have the self-tests run, and the Module config file output generated on each platform where it is intended to be used. The Module config file output data shall not be copied from one machine to another.
I'll note that following the build and installation instructions from in the security policy [csrc.nist.gov]<https://urldefense.com/v3/__https:/csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf__;!!LpKI!m6MpgYacWH24YdMndJMC-_RMlzLmjAHdaRHojogd7dgY9kbo0NUvc9yknt1Y_6gxdXxScH71o77lFX7ijN_GHg$> is necessary for a FIPS compliant provider.


Pauli
On 1/3/23 04:52, Prasad, PCRaghavendra via openssl-users wrote:
Hi Team,

Our team has started migrating from OpenSSL 1.0.2 to OpenSSL 3.0.x version.
We are doing POC for the same on windows and Linux.

We have a tight schedule to finish the migration by April 1st week as we need to fix one critical BD issue and support TLS 1.3 feature as well.

The team and I are going through multiple docs of OpenSSL 3.x and trying to figure out how to configure fips once we build the OpenSSL.

Few things:

  1.  In openssl 3.0.x Fips module is installed/integrated by default (enable-fips) during the build step
  2.  Fipsmodule.cnf is present in the default location (c:\usr\local\ssl\)
  3.  After reading multiple ways on how to enable fips, one way is the config way where we need to change few params in openssl.cnf
  4.  By changing that and we did the test using openssl.exe ( sha1 passed and md5 failed) all good
  5.  Now the challenge is we need to set the fips enablement programmatically which we were going through multiple docs (openssl and some forums)
  6.  Till now we used OpenSSL 1.0.2 where the fipsmodule is embedded in libcrypto and we need to set it at the beginning of the application (fips_mode_set()) and everything else is taken care by default.
  7.  Now with OpenSSL 3.0.x how to set that fips mode for the entire application is not very clear
  8.  Very where they are talking about the config files, our application is a standalone application that bundles all the required libs(crypto/SSL) and runs on its own, it will not refer to any system config/lib files
  9.  So our doubt is if we build on the application on build machine containing OpenSSL 3.0.x and create an artifact. We need to run on different machines.
  10. In OpenSSL 3.0.x is there any hard dependency on the .cnf files should we carry them in our artifact and if so should we install them in the default path like ( C:\usr or /us/local) which we were not doing till now?

Any input on this will be really helpful

Thanks,
Raghavendra


Internal Use - Confidential

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230302/57391731/attachment-0001.htm>


More information about the openssl-users mailing list