<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
Have you read the relevant documentation? Specifically, the <a
moz-do-not-send="true"
href="https://www.openssl.org/docs/man3.0/man7/fips_module.html">FIPS
module guide</a>, the <a moz-do-not-send="true"
href="https://www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-FIPS.html">FIPS
provider</a> and the <a moz-do-not-send="true"
href="https://www.openssl.org/docs/man3.0/man7/migration_guide.html">migration
guide</a>? These answer most of your questions and can be easy to
miss.<br>
<br>
With the FIPS provider in OpenSSL 3.0 you will not be able to escape
having some configuration in a file. The FIPS provider does an
integrity check on start up and the correct checksum comes from
configuration.<br>
<br>
As for running on different machines to the build one, the <a
moz-do-not-send="true"
href="https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf">security
policy</a> is clear that the checksum configuration cannot be
copied between machines:<br>
<blockquote><i>Note: The Module shall have the self-tests run, and
the Module config file output generated on each</i><i> platform
where it is intended to be used. The Module config file output
data shall not be copied from</i><i> one machine to another.</i><br>
</blockquote>
I'll note that following the build and installation instructions
from in the <a moz-do-not-send="true"
href="https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf">security
policy</a> is necessary for a FIPS compliant provider.<br>
<br>
<br>
Pauli<br>
<br>
<div class="moz-cite-prefix">On 1/3/23 04:52, Prasad, PCRaghavendra
via openssl-users wrote:<br>
</div>
<blockquote type="cite"
cite="mid:MN2PR19MB40297AD3070AFAC064BF806F9AAC9@MN2PR19MB4029.namprd19.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}div.WordSection1
{page:WordSection1;}ol
{margin-bottom:0in;}ul
{margin-bottom:0in;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hi Team,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Our team has started migrating from OpenSSL
1.0.2 to OpenSSL 3.0.x version.<o:p></o:p></p>
<p class="MsoNormal">We are doing POC for the same on windows
and Linux.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We have a tight schedule to finish the
migration by April 1<sup>st</sup> week as we need to fix one
critical BD issue and support TLS 1.3 feature as well.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The team and I are going through multiple
docs of OpenSSL 3.x and trying to figure out how to configure
fips once we build the OpenSSL.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Few things:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1">In openssl
3.0.x Fips module is installed/integrated by default
(enable-fips) during the build step<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1">Fipsmodule.cnf
is present in the default location (c:\usr\local\ssl\)<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1">After
reading multiple ways on how to enable fips, one way is the
config way where we need to change few params in openssl.cnf<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1">By changing
that and we did the test using openssl.exe ( sha1 passed and
md5 failed) all good<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1">Now the
challenge is we need to set the fips enablement
programmatically which we were going through multiple docs
(openssl and some forums)<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1">Till now we
used OpenSSL 1.0.2 where the fipsmodule is embedded in
libcrypto and we need to set it at the beginning of the
application (fips_mode_set()) and everything else is taken
care by default.<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1">Now with
OpenSSL 3.0.x how to set that fips mode for the entire
application is not very clear<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1">Very where
they are talking about the config files, our application is
a standalone application that bundles all the required
libs(crypto/SSL) and runs on its own, it will not refer to
any system config/lib files<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1">So our doubt
is if we build on the application on build machine
containing OpenSSL 3.0.x and create an artifact. We need to
run on different machines.<o:p></o:p></li>
<li class="MsoListParagraph"
style="margin-left:0in;mso-list:l0 level1 lfo1">In OpenSSL
3.0.x is there any hard dependency on the .cnf files should
we carry them in our artifact and if so should we install
them in the default path like ( C:\usr or /us/local) which
we were not doing till now?<o:p></o:p></li>
</ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Any input on this will be really helpful<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Raghavendra<o:p></o:p></p>
<br>
<p class="msipfooter90245289" style="margin:0" align="Left"><span
style="font-size:7.0pt;font-family:Calibri;color:#737373">Internal
Use - Confidential</span></p>
</div>
</blockquote>
<br>
</body>
</html>