<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.msipfooter90245289, li.msipfooter90245289, div.msipfooter90245289
{mso-style-name:msipfooter90245289;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:910236747;
mso-list-template-ids:548969800;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:1211695230;
mso-list-type:hybrid;
mso-list-template-ids:2070082986 5959478 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-start-at:2;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:DengXian;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2
{mso-list-id:1476794352;
mso-list-template-ids:214485162;}
@list l2:level1
{mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level2
{mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level3
{mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level4
{mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level5
{mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level6
{mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level7
{mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level8
{mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l2:level9
{mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;}
@list l3
{mso-list-id:1514952340;
mso-list-type:hybrid;
mso-list-template-ids:2128656716 1478498346 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l3:level1
{mso-level-start-at:2;
mso-level-number-format:bullet;
mso-level-text:-;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Calibri",sans-serif;
mso-fareast-font-family:"Times New Roman";}
@list l3:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l3:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l3:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l3:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi Paul,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks for the information.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We will go through the documents once again for more understanding.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">One basic doubt is when we deploy/build OpenSSL on our <span style="background:yellow;mso-highlight:yellow">
build machine</span> with FIPS enabled (enable_fips) which will generate fips.dll/so and fipsmodule.cnf.<o:p></o:p></p>
<p class="MsoNormal">We then change the openssl.cnf to access the fipsmodule.cnf and enable fips on the
<span style="background:yellow;mso-highlight:yellow">build machine</span> and execute the application or do it programmatically to load the fips module and run the application.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">As for running on different machines to the build one, the <a href="https://urldefense.com/v3/__https:/csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf__;!!LpKI!m6MpgYacWH24YdMndJMC-_RMlzLmjAHdaRHojogd7dgY9kbo0NUvc9yknt1Y_6gxdXxScH71o77lFX7ijN_GHg$">
security policy [csrc.nist.gov]</a> is clear that the checksum configuration cannot be copied between machines:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo5">But we carry libssl.so and libcrypto.so in our build artifacts till now and activate the fips at run time in our application (OpenSSL 1.0.2 FIPS) on different machines (customer machines)
as we are embedded software, so how it can be achieved using OpenSSL 3.0.x + FIPS versions? how can we achieve FIPS on different machines but built on one machine? Is it possible<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Can you please throw some input on this?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Ragahvendra<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> openssl-users <openssl-users-bounces@openssl.org>
<b>On Behalf Of </b>Dr Paul Dale<br>
<b>Sent:</b> Wednesday, March 1, 2023 3:34 AM<br>
<b>To:</b> openssl-users@openssl.org<br>
<b>Subject:</b> Re: Need Help on OpenSSl 3.0.x and FIPS enablement<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p><span style="color:#CE1126">[EXTERNAL EMAIL] <o:p></o:p></span></p>
</div>
<p class="MsoNormal">Have you read the relevant documentation? Specifically, the
<a href="https://urldefense.com/v3/__https:/www.openssl.org/docs/man3.0/man7/fips_module.html__;!!LpKI!m6MpgYacWH24YdMndJMC-_RMlzLmjAHdaRHojogd7dgY9kbo0NUvc9yknt1Y_6gxdXxScH71o77lFX4qN9JYmA$">
FIPS module guide [openssl.org]</a>, the <a href="https://urldefense.com/v3/__https:/www.openssl.org/docs/man3.0/man7/OSSL_PROVIDER-FIPS.html__;!!LpKI!m6MpgYacWH24YdMndJMC-_RMlzLmjAHdaRHojogd7dgY9kbo0NUvc9yknt1Y_6gxdXxScH71o77lFX7hLE-Nwg$">
FIPS provider [openssl.org]</a> and the <a href="https://urldefense.com/v3/__https:/www.openssl.org/docs/man3.0/man7/migration_guide.html__;!!LpKI!m6MpgYacWH24YdMndJMC-_RMlzLmjAHdaRHojogd7dgY9kbo0NUvc9yknt1Y_6gxdXxScH71o77lFX4Csj3-Tw$">
migration guide [openssl.org]</a>? These answer most of your questions and can be easy to miss.<br>
<br>
With the FIPS provider in OpenSSL 3.0 you will not be able to escape having some configuration in a file. The FIPS provider does an integrity check on start up and the correct checksum comes from configuration.<br>
<br>
As for running on different machines to the build one, the <a href="https://urldefense.com/v3/__https:/csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf__;!!LpKI!m6MpgYacWH24YdMndJMC-_RMlzLmjAHdaRHojogd7dgY9kbo0NUvc9yknt1Y_6gxdXxScH71o77lFX7ijN_GHg$">
security policy [csrc.nist.gov]</a> is clear that the checksum configuration cannot be copied between machines:<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal"><i>Note: The Module shall have the self-tests run, and the Module config file output generated on each platform where it is intended to be used. The Module config file output data shall not be copied from one machine to another.</i><o:p></o:p></p>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt">I'll note that following the build and installation instructions from in the
<a href="https://urldefense.com/v3/__https:/csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf__;!!LpKI!m6MpgYacWH24YdMndJMC-_RMlzLmjAHdaRHojogd7dgY9kbo0NUvc9yknt1Y_6gxdXxScH71o77lFX7ijN_GHg$">
security policy [csrc.nist.gov]</a> is necessary for a FIPS compliant provider.<br>
<br>
<br>
Pauli<o:p></o:p></p>
<div>
<p class="MsoNormal">On 1/3/23 04:52, Prasad, PCRaghavendra via openssl-users wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal">Hi Team,<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Our team has started migrating from OpenSSL 1.0.2 to OpenSSL 3.0.x version.<o:p></o:p></p>
<p class="MsoNormal">We are doing POC for the same on windows and Linux.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">We have a tight schedule to finish the migration by April 1<sup>st</sup> week as we need to fix one critical BD issue and support TLS 1.3 feature as well.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">The team and I are going through multiple docs of OpenSSL 3.x and trying to figure out how to configure fips once we build the OpenSSL.<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Few things:<o:p></o:p></p>
<ol style="margin-top:0in" start="1" type="1">
<li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo3">In openssl 3.0.x Fips module is installed/integrated by default (enable-fips) during the build step<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo3">Fipsmodule.cnf is present in the default location (c:\usr\local\ssl\)<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo3">After reading multiple ways on how to enable fips, one way is the config way where we need to change few params in openssl.cnf<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo3">By changing that and we did the test using openssl.exe ( sha1 passed and md5 failed) all good<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo3">Now the challenge is we need to set the fips enablement programmatically which we were going through multiple docs (openssl and some forums)<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo3">Till now we used OpenSSL 1.0.2 where the fipsmodule is embedded in libcrypto and we need to set it at the beginning of the application (fips_mode_set()) and everything else is taken
care by default.<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo3">Now with OpenSSL 3.0.x how to set that fips mode for the entire application is not very clear<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo3">Very where they are talking about the config files, our application is a standalone application that bundles all the required libs(crypto/SSL) and runs on its own, it will not refer
to any system config/lib files<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo3">So our doubt is if we build on the application on build machine containing OpenSSL 3.0.x and create an artifact. We need to run on different machines.<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l2 level1 lfo3">In OpenSSL 3.0.x is there any hard dependency on the .cnf files should we carry them in our artifact and if so should we install them in the default path like ( C:\usr or /us/local)
which we were not doing till now?<o:p></o:p></li></ol>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Any input on this will be really helpful<o:p></o:p></p>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">Thanks,<o:p></o:p></p>
<p class="MsoNormal">Raghavendra<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="msipfooter90245289" style="margin:0in"><span style="font-size:7.0pt;color:#737373">Internal Use - Confidential</span><o:p></o:p></p>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>