recommended way to do created fipsmodule.cnf file on client machine. #21490
-
Hi Team, We are using the OpenSSL 3.0 version in our product. We will be shipping the OpenSSL libraries with our package. Please recommend a way to make sure that the app installed on the client machine is FIPS compliant. Should we package the OpenSSL libraries and the openss.cnf file with our app, and then create the fipsmodule.cnf file at runtime? Are there any recommended ways to create this workflow, and are there any potential issues that we should be aware of? Any documentation around this ? I already have https://www.openssl.org/docs/man3.0/man7/fips_module.html |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
The README-FIPS.md file is also useful. As per the security policy, you should create the Also note that currently only OpenSSL 3.0.0 and 3.0.8 have had their FIPS provider validated. Any other version will not produce a compliant FIPS provider. However, you can use any version of OpenSSL (3.0.x or 3.1.x) with either of these FIPS providers. Instructions for doing this are in the README-FIPS file. |
Beta Was this translation helpful? Give feedback.
-
Both will load a FIPS compliant version. The second is more efficient. However, I'd recommend this instead: EVP_MD* md = EVP_MD_fetch(NULL, "SHA1", ""); The |
Beta Was this translation helpful? Give feedback.
The README-FIPS.md file is also useful.
As per the security policy, you should create the
fipsmodule.cnf
file on the client machine. Not doing so isn't strictly FIPS compliant. The instructions for doing this are in the security policy (the latest version should always be linked from the download page). Look in the policy's first appendix. Essentially, you should run theopenssl fipsinstall
command on the client to do this.Also note that currently only OpenSSL 3.0.0 and 3.0.8 have had their FIPS provider validated. Any other version will not produce a compliant FIPS provider. However, you can use any version of OpenSSL (3.0.x or 3.1.x) with either of these FIPS providers. Instructions fo…