How to install certified fips module into debian openssl package version 3.0.11-1~deb12u2

[devanathan-krishnan]

I am looking for way to install debian package version 3.0.11-1~deb12u2 into my system and install some certified fips module (like 3.0.8) into that. I am planning to use some of my application with fips certified algorithm whereas some other may be just using non fips version. Is this possible to achieve? Can you please help.

Thanks

[devanathan-krishnan]

Can someone please throw some light here.

I tried to install fips module of 3.0.8 onto a system where we have 3.0.11 openssl installed.
openssl fipsinstall -out /usr/lib/ssl/fipsmodule.cnf -module /usr/lib/x86_64-linux-gnu/ossl-modules/fips.so
The install says PASSED with final log "INSTALL PASSED"
But, When I try to get the provider list for fips, I am getting error.
openssl list -providers -provider fips
list: unable to load provider fips
Hint: use -provider-path option or OPENSSL_MODULES environment variable.
4027D0138A7F0000:error:1C8000D5:Provider routines:SELF_TEST_post:missing config data:providers/fips/self_test.c:290:
4027D0138A7F0000:error:1C8000E0:Provider routines:ossl_set_error_state:fips module entering error state:providers/fips/self_test.c:388:
4027D0138A7F0000:error:1C8000D8:Provider routines:OSSL_provider_init_int:self test post failure:providers/fips/fipsprov.c:707:
4027D0138A7F0000:error:078C0105:common libcrypto routines:provider_init:init fail:../crypto/provider_core.c:932:name=fips

Am I missing any step here?

[kulkarniamit]

Two key settings might be missing:

• openssl.cnf should have a .include directive pointing to the full path of fipsmodule.cnf
• openssl.cnf should contain a reference to the fips section name inside fipsmodule.cnf within [provider_sect]

Example:

$ grep -B2 "^\.include\|^fips " /usr/lib/ssl/openssl.cnf
# referenced from the [provider_sect] below.
# Refer to the OpenSSL security policy for more information.
.include /usr/lib/ssl/fipsmodule.cnf
--
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
fips = fips_sect

openssl list command should now be able to list fips as a provider

$ openssl list -providers -provider fips
Providers:
  fips
    name: OpenSSL FIPS Provider
    version: 3.0.8
    status: active

OpenSSL fips module guide for reference.

Additionally, you can refer to "Selectively making applications use the FIPS module by default" and "Programmatically loading the FIPS module" sections from OpenSSL fips module guide to learn more about selectively using FIPS provider for applications.

[devanathan-krishnan]

Thanks a lot for the response @kulkarniamit . I just figured it out an hour back.