How define FIPS Cipherstring in openssl3? #23707
-
While I am reading https://wiki.openssl.org/index.php/FIPS_mode_and_TLS the list ciphers that approved in FIPS mode ./openssl ciphers -v 'FIPS:!eNULL:!aNULL' My question configuring the cipherString like below in
root@fips:/opt/ossl3/bin# ./openssl version -a
OpenSSL 3.0.13 30 Jan 2024 (Library: OpenSSL 3.0.13 30 Jan 2024)
built on: Wed Feb 28 10:54:36 2024 UTC
platform: linux-x86_64
options: bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O0 -g -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
OPENSSLDIR: "/opt/ossl3/bin"
ENGINESDIR: "/opt/ossl3/lib64/engines-3"
MODULESDIR: "/opt/ossl3/lib64/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_ia32cap=0xfefa32034f8bffff:0x2c1
root@fips:/opt/ossl3/bin# ./openssl list -providers
Providers:
base
name: OpenSSL Base Provider
version: 3.0.13
status: active
default
name: OpenSSL Default Provider
version: 3.0.13
status: active
fips
name: OpenSSL FIPS Provider
version: 3.0.13
status: active
legacy
name: OpenSSL Legacy Provider
version: 3.0.13
status: active
null
name: OpenSSL Null Provider
version: 3.0.13
status: active
root@fips:/opt/ossl3/bin# List FIPS-approved ciphers.
|
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 1 reply
-
some part of the question is related to this question #23457 |
Beta Was this translation helpful? Give feedback.
-
Enabling FIPS mode globally via openssl.cnf or via application code will limit the applicaiton to using only FIPS approved ciphers regardless of what your cipher selection is. Your cipher selection may limit it further, but can never allow a non-FIPS cipher. For example, on a FreeBSD system I have with OpenSSL 3.0.12, FIPS provider 3.0.9, and FIPS enabled, |
Beta Was this translation helpful? Give feedback.
Enabling FIPS mode globally via openssl.cnf or via application code will limit the applicaiton to using only FIPS approved ciphers regardless of what your cipher selection is. Your cipher selection may limit it further, but can never allow a non-FIPS cipher. For example, on a FreeBSD system I have with OpenSSL 3.0.12, FIPS provider 3.0.9, and FIPS enabled,
openssl ciphers ALL
andopenssl ciphers DEFAULT
both produce the same list of ciphers, whileopenssl ciphers HIGH
produces a smaller list. In all cases, all the ciphers meet the FIPS 140-2 requirements at the time 3.0.9 was approved.