Hi,
I am working to package OpenSSL 3.1.x with my product.
As I prefer to be FIPS complaint, I would like to use FIPS module from
OpenSSL 3.0.9.
1) From the Documentation(
https://github.com/openssl/openssl/blob/master/README-FIPS.md) , what I
understood is,
I need to build
On 24/05/2024 16:57, murugesh pitchaiah wrote:
Thanks Matt for looking into this.
Here is the output:
# openssl list --providers -provider fips -provider base
Providers:
base
name: OpenSSL Base Provider
version: 3.0.9
status: active
Hi Matt,
Could you please share any insights on why these errors seen on
programmatically loading fips provider :
*80D1CD65667F:error:1C8000D4:Provider routines:SELF_TEST_post:invalid
state:../openssl-3.0.9/providers/fips/self_test.c:262:*
*80D1CD65667F:error:1C8000D8:Provider
Thanks Matt for looking into this.
Here is the output:
# openssl list --providers -provider fips -provider base
Providers:
base
name: OpenSSL Base Provider
version: 3.0.9
status: active
fips
name: OpenSSL FIPS Provider
version: 3.0.9
status: active
Also
What do you get by loading the provider via the "openssl list" command,
i.e. what is the output from:
$ openssl list --providers -provider fips -provider base
Matt
On 24/05/2024 15:48, murugesh pitchaiah wrote:
Thanks Neil for your response. Please find more details below.
Thanks Neil for your response. Please find more details below.
Yes we run fipsinstall and then edit the fipsmodule.conf file to remove the
'activate=1' line. Then try to programmatically load FIPS provider. Here
are the details steps.
Once the device boots up , The device has fipsmoudle.cnf
I assume that, after building the openssl library you ran openssl
fipsinstall? i.e. you're not just using a previously generated
fipsmodule.cnf file? The above errors initially seem like self tests
failed on the fips provider load, suggesting that the module-mac or
install-mac is incorrect
Hi,
Need your help on using openssl fips provider programmatically with openssl
3.0.9.
Error seen:
*80D1CD65667F:error:1C8000D4:Provider routines:SELF_TEST_post:invalid
state:../openssl-3.0.9/providers/fips/self_test.c:262:*
*80D1CD65667F:error:1C8000D8:Provider
A good question.
In a nut shell: the 3.0.0 FIPS provider is designed to work with all
3.0.x releases. We actively test this as part of our CI loops and it's
the way to claim FIPS compliance when using OpenSSL 3.0.7. You need to
build 3.0.7 (with or without FIPS support) and the 3.0.0 FIPS
The OpenSSL project has obtained certificate #4282
<https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4282>
from NIST for the FIPS provider. Nice. However, the certificate and
accompanying security policy specifically list version 3.0.0 while the
current r
Please read the blog post about this here:
https://www.openssl.org/blog/blog/2022/08/24/FIPS-validation-certificate-issued/
Matt
(ERR_LIB_PROV, PROV_R_INVALID_CURVE,
"Explicit curves are not allowed in fips mode");
return 0;
}
Thank you!
cheers,
-Felipe Gasper
All the providers can use the low-level APIs internally to implement
crypto algorithms. The FIPS provider however includes all the low level
implementations as a separately built and statically linked code.
That means you cannot use the low-level calls in an application and
still be FIPS
Hi,
I understand that low-level APIs have been deprecated in version 3. I have
been playing some with the fips provider trying to understand the config
options to use with it. I noticed that the fips provider source code
includes a few low level APIs like SHA256_Init().
Is it correct to conclude
this was a deliberate day 1 design decision.
Matt
-Original Message-
*From*: Matt Caswell <mailto:matt%20caswell%20%3cm...@openssl.org%3e>>
*To*: openssl-users@openssl.org <mailto:openssl-users@openssl.org>
*Subject*: [EXTERNAL] Re: Static OpenSSL 3 library with FIPS
*Date*: F
%3cm...@openssl.org%3e>>
To: openssl-users@openssl.org<mailto:openssl-users@openssl.org>
Subject: [EXTERNAL] Re: Static OpenSSL 3 library with FIPS
Date: Fri, 25 Mar 2022 20:22:02 +
On 25/03/2022 18:33, Paul Spencer wrote:
Q: Is it possible to have a static (.a) OpenSSL 3 libra
On 25/03/2022 18:33, Paul Spencer wrote:
Q: Is it possible to have a static (.a) OpenSSL 3 library with FIPS support?
This was possible with OpenSSL 1.0.2 and the FIPS 2.0.x module (and
special linking in the Makefile). However, with SSL3, if I go
Configure no-module enable-fips
Q: Is it possible to have a static (.a) OpenSSL 3 library with FIPS support?
This was possible with OpenSSL 1.0.2 and the FIPS 2.0.x module (and special
linking in the Makefile). However, with SSL3, if I go
Configure no-module enable-fips
then it silently disables FIPS. Is there any way to do this?
Good luck, the 2.0.16 FOM is nowhere near being 140-3 ready.
The Oracle version is much closer but still not quite there:
https://github.com/oracle/solaris-openssl-fips
Pauli
On 17/3/22 19:19, Dhananjay kumar wrote:
Hi All,
We are looking to go through FIPS 140-3 certification for one
Hi All,
We are looking to go through FIPS 140-3 certification for one of our
products which still runs on openssl 1.0.2(fips object module 2.0.16)
version due to some software dependencies.
in FIPS 140-3, we are asked to explicitly implement KATs(known answer
tests) for below algorithms since
Hi,
I'm trying to enable FIPS using the configuration file. So instead of
explicitly calling the LOAD APIs I'm able doing by adding these line in the
openssl cnf file:
openssl_conf = openssl_init
.include /usr/local/ssl/fipsmodule.cnf
[openssl_init]
providers = provider_sect
[provider_sect
On Tue, 15 Feb 2022 at 09:53, Tomas Mraz wrote:
> Please note that there are two checksums in the configuration file. One
> of them is the FIPS module checksum and the other is the checksum of
> the configuration. You can copy the file across machines if it is
> without the c
Please note that there are two checksums in the configuration file. One
of them is the FIPS module checksum and the other is the checksum of
the configuration. You can copy the file across machines if it is
without the configuration checksum - that means the selftest will be
always run when
THIS FAILS
syslog(LOG_NOTICE, "%s %s", phase, desc);
return 0;
}
ret = 1;
err:
return ret;
}
Thanks,
Ashish
*From:* openssl-users *On Behalf
Of *Dr Paul Dale
*Sent:* Tuesday, February 8, 2022 1:35 PM
*To:* openssl-users@openssl.org
There is nothing stopping cheating.
If you are going to cheat, why bother with FIPS at all? Just claim
you're FIPS.
Pauli
On 15/2/22 10:49, Ma Ar wrote:
Maybe a dumb question too, considering that i am admittedly just
getting into this field, but I though maybe if I ask I might learn
Tom, thanks for looking this up. I believe that this particular piece
of guidance was removed in 140-3.
Pauli
On 15/2/22 10:57, Thomas Dwyer III wrote:
I believe the relevant standard is described in the Implementation
Guidance for FIPS 140-2:
https://csrc.nist.gov/csrc/media/projects
I believe the relevant standard is described in the Implementation Guidance
for FIPS 140-2:
https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/fips140-2/fips1402ig.pdf
(see IG 9.11 beginning on page 179). I searched briefly for similar text in
FIPS 140-3 IG
to to certify compliance can be
falsified by copying over 1 file, what would even be to purpose of those
tests?
Or are simply dependency checks?
Thanks for all the effort it must take in answering all these questions
every day.
On 2/14/2022 5:31 PM, Dr Paul Dale wrote:
Yes, this has to do with the FIPS
Yes, this has to do with the FIPS standards. I forget which standard it
is but the self tests are mandated to be run on each device independently.
The fipsinstall process runs the self tests before generating the
configuration file. If the self tests fail, the module doesn't
install
Hi
Probably a dumb question, but why must the FIPS module configuration file
for OpenSSL 3.0 be generated on every machine that it is to be used on
(i.e. must not be copied from one machine to another)?
I just ran 'openssl fipsinstall' on two different machines with the same
FIPS module
On Fri, 2022-02-11 at 08:35 +, Kevin Millson wrote:
> Hello OpenSSL Users,
>
> I’m trying to use SHA1 message digest hashing in combination with the
> FIPS provider, but seem to be running into issues. My code looks like
> the following:
>
> EVP_PKEY* priva
Hello OpenSSL Users,
I’m trying to use SHA1 message digest hashing in combination with the FIPS
provider, but seem to be running into issues. My code looks like the following:
EVP_PKEY* privateKey = getPrivateKey();
EVP_MD_CTX* mdContex = EVP_MD_CTX_new();
if (mdContex != NULL) {
const
Behalf
Of *Dr Paul Dale
*Sent:* Tuesday, February 8, 2022 1:35 PM
*To:* openssl-users@openssl.org
*Subject:* [EXTERNAL] Re: Not able to perform FIPS self-tests
Have you considered using the provided for this:
OSSL_PROVIDER_self_test()?
https://www.openssl.org/docs/man3.0/man3/OSSL_PROVIDER.html
&
-THIS FAILS
syslog(LOG_NOTICE, "%s %s", phase, desc);
return 0;
}
ret = 1;
err:
return ret;
}
Thanks,
Ashish
From: openssl-users On Behalf Of Dr Paul
Dale
Sent: Tuesday, February 8, 2022 1:35 PM
To: openssl-users@openssl.org
Subject: [EXTER
Have you considered using the provided for this: OSSL_PROVIDER_self_test()?
https://www.openssl.org/docs/man3.0/man3/OSSL_PROVIDER.html
Pauli
On 8/2/22 17:41, Gahlot, Ashish Kumar wrote:
Hello All,
I’m trying to execute self-tests that FIPS runs after installation
manually by calling
Hello All,
I'm trying to execute self-tests that FIPS runs after installation manually by
calling the APIs. I'm using code from
https://github.com/openssl/openssl/blob/7cce994d3e57345ba729388b9321d9bf8b661b4f/providers/fips/self_test_kats.c
but I'm getting NULL when I'm trying to fetch
This does not mean we wouldn't be interested in having better iOS
support if someone was willing to contribute.
Paul Dale
On 3/2/22 5:38 pm, pa...@openssl.org wrote:
The FIPS provider will likely not work with iOS as it currently stands.
The development team are not up to speed on iOS
The FIPS provider will likely not work with iOS as it currently stands.
The development team are not up to speed on iOS and not much effort was
put into supporting it (or Android for the same reason). We didn't even
get remotely close to having code signed.
Paul Dale
On 27/1/22 4:41 am
Hello All,
Has anyone tried using the FIPS provider on iOS and got it uploaded and
successfully reviewed by Apple?
Apple won't let you just put the 'fips.dylib' in your app's bundle so we've
wrapped it in a iOS Framework Bundle, which solves some of the problems. But
Apple are scanning
line
perl Configure enable-fips VC-WIN32 --debug
--prefix=D:\outssl\Dll\x32\debug --openssldir=D:\outssl\ssl
nmake
nmake install
debug and release version tested
all seems fine even the compilation of fips.dll module
now I tried to create a command line too that just try to load the FIPS
Hi
I retrieved and compiled official openssl 3 version from openssl site
configure the project with such command line
perl Configure enable-fips VC-WIN32 --debug
--prefix=D:\outssl\Dll\x32\debug --openssldir=D:\outssl\ssl
nmake
nmake install
debug and release version tested
all seems fine
On 26/01/2022 11:27, Jan Lana wrote:
Hi,
When I run
openssl ciphers -v -provider fips | grep TLS_CHACHA20_POLY1305_SHA256
it shows this non complain cipher is available.
This looks correct behaviour to me. Your openssl.cnf file is explicitly
activating the default provider
Hi,
When I run
openssl ciphers -v -provider fips | grep TLS_CHACHA20_POLY1305_SHA256
it shows this non complain cipher is available. To add '-propquery
fips=yes' argument does not help. IMHO it is not correct behavior.
I have the default and fips providers enabled in openssl.cnf
Good Morning,
I am having an issue with the FIPS Module in an OpenSSL 3.0 build. Below are
the build steps and the issues that I am seeing. Sorry for the length but I am
trying to provide all of the relevant details in hopes that the solution to
this issue will be easily identifiable.
First
Good Morning,
I am having an issue with the FIPS Module in an OpenSSL 3.0 build. Below are
the build steps and the issues that I am seeing. Sorry for the length but I am
trying to provide all of the relevant details in hopes that the solution to
this issue will be easily identifiable.
First
platform policy page categories are defined but the OpenSSL
project's access to hardware. We do not have access to Solaris boxes
and no community member has offered to help either with support or
provision of hardware. This is why it is in the "unadopted" category.
Oracle, as on
Hi,
I'm hoping someone can shed some light on something that's confusing me. In
the blog post about the FIPS
submission<https://www.openssl.org/blog/blog/2021/09/22/OpenSSL3-fips-submission/>
it states that one of the platforms that's being tested is "Oracle Solaris
11.4 on Oracle
On 06/12/2021 15:49, Cristian Andrei Sandu wrote:
Hi guys,
Is there any way I can re-load the FIPS provider after it reached its
error state? I’d like to do it without restarting the process. (If it
matters, I’m already using a non-default library context with a separate
configuration
Hi guys,
Is there any way I can re-load the FIPS provider after it reached its error
state? I'd like to do it without restarting the process. (If it matters, I'm
already using a non-default library context with a separate configuration file
that I load with OSSL_LIB_CTX_load_config()).
I'd
Hi,
I am upgrading code from OpenSSL 1.0.2 to 3.0. We are programmatically loading
and unloading FIPS and have separate module code for FIPS module.
I have written code for main() and self_test_cb() as per the following manual-
/docs/manmaster/man7/fips_module.html
(openssl.org)<ht
On 12/11/21 4:02 am, Kory Hamzeh wrote:
I am writing the FIPS DRBG AVS per NIST SP800-90A. I have some questions.
1. Is the TEST-RAND ok for nist test? I am planning to basically follow the
steps in test/acvp_test.c:drbg_test(), but the data is read in from a file
rather than an in memory
I am writing the FIPS DRBG AVS per NIST SP800-90A. I have some questions.
1. Is the TEST-RAND ok for nist test? I am planning to basically follow the
steps in test/acvp_test.c:drbg_test(), but the data is read in from a file
rather than an in memory structure.
2. Some of the test vectors
Thanks to everyone for the help so far. I think I have things set up correctly
as far as FIPS, providers, and library contexts. I'm hitting another problem
that I think is related to the migration to OpenSSL 3.0, as this code works
with OpenSSL 1.1.1 (and 1.0.2 before it). When looking
On 29/10/2021 16:40, Cristian Andrei Sandu wrote:
Hi all,
I’m currently updating an application from OpenSSL 1.0.2d to OpenSSL
3.0.0 in preparation for a FIPS 140-2 submission and I’m not sure how to
approach the issue of induced failures for the power on self tests.
In OpenSSL 1.0.2d we
Hi all,
I'm currently updating an application from OpenSSL 1.0.2d to OpenSSL 3.0.0 in
preparation for a FIPS 140-2 submission and I'm not sure how to approach the
issue of induced failures for the power on self tests.
In OpenSSL 1.0.2d we used to use FIPS_post_set_callback() for this purpose
with. Otherwise bad things might happen.
Since I didn't "explicitly" load the fips and base providers with API
calls, I only need to unlead the default provider, as well as free both
library contexts.
Correct.
Also, when I did try to unload the fips and base providers, the call to
OSSL_PROVI
should be the following:
OSSL_LIB_CTX_free(fips_libctx);
OSSL_LIB_CTX_free(non_fips_libctx);
OSSL_PROVIDER_unload(defp);
Since I didn't "explicitly" load the fips and base providers with API calls, I
only need to unlead the default provider, as well as free both library conte
what providers
get loaded later without having to recompile.
If you decided to do it via config then you probably want *2* different
config files. One for the fips libctx and one for the non-fips libctx.
I also still have this in my code:
/* Disallow falling back to the def
Thanks Matt. I actually had this working (loading the fips_libctx using the
*load_config() API) but I was hitting other issues and thought I was doing
something wrong (more on that later).
So to review, I have my own config file, /usr/local/ssl/openssl-fips, with the
relevant contents(some
On 27/10/2021 17:28, Jason Schultz wrote:
With these config files and the code above, the
OSSL_PROVIDER_load(fips_libctx, "fips") call fails. Here are the
messages from the ERR_print_errors_fp() call:
2097C692B57F:error:1C8000D5:Provider routines:(unknown
function):miss
Sorry, I meant to include the config information in my previous email. I should
probably go back to the beginning, I've been trying a lot of different
combinations without success, so unwinding to the beginning and taking one step
at a time is probably appropriate. Since I want the FIPS changes
On 26/10/2021 20:17, Jason Schultz wrote:
Thanks for all of the help so far. Unfortunately, I'm still struggling
with this. There could be a number of issues, starting with the
installation of OpenSSL. I basically followed the documentation and did
the following:
./Configure enable-fips
Ah, OK. Yes, I am running on the same machine. Thanks for clarifying.
From: Kory Hamzeh
Sent: Tuesday, October 26, 2021 9:15 PM
To: Jason Schultz
Cc: Dr Paul Dale ; openssl-users@openssl.org
Subject: Re: OpenSSL 3.0 FIPS questions
Actually, if you
truggling with
> this. There could be a number of issues, starting with the installation of
> OpenSSL. I basically followed the documentation and did the following:
>
> ./Configure enable-fips
> make
> make test
> make install
>
> The "make test" actually fail
Kory-
If I'm understanding the README-FIPS.md file, I don't need to do the
"fipsinstall", it is done during the normal installation process when FIPS is
enabled, presumably with the "enable-fips" on the configure command:
Installing the FIPS module
===
> OpenSSL. I basically followed the documentation and did the following:
>
> ./Configure enable-fips
> make
> make test
> make install
>
> The "make test" actually fails, but I did not troubleshoot as it seems like a
> lot of systems have issues here. But I kno
Thanks for all of the help so far. Unfortunately, I'm still struggling with
this. There could be a number of issues, starting with the installation of
OpenSSL. I basically followed the documentation and did the following:
./Configure enable-fips
make
make test
make install
The "make
It was meant for the second method only. The first method is using
different library contexts to distinguish FIPS algorithms. Using the
properties in addition is harmless and might prevent a future mistake
that breaks compliance.
Pauli
On 26/10/21 4:46 am, Jason Schultz wrote:
Thanks again
ed calling the following API for FIPS:
EVP_set_default_properties(NULL, “fips=yes”);
Was the EVP_set_default_properties() call specifically and only for the 2nd
method, or did that API call apply to both the first and second methods you
explained? From reading the doc for that call, it seems lik
The configuration shouldn't have much impact. You will need a fips
section specifying where the integrity check data are. You shouldn't
need base or default sections.
Pauli
On 25/10/21 5:23 am, Jason Schultz wrote:
Thank you for your response. I think all of that makes sense, and
seems
for fips, base, default,
etc?
Regards,
Jason
From: openssl-users on behalf of Dr Paul
Dale
Sent: Sunday, October 24, 2021 12:28 AM
To: openssl-users@openssl.org
Subject: Re: OpenSSL 3.0 FIPS questions
Oops, the second time this occurs "defp = OSSL_PROVIDER
Oops, the second time this occurs "defp =
OSSL_PROVIDER_load(non_fips_libctx, "default");" it should be "defp =
OSSL_PROVIDER_load(NULL, "default");"
Pauli
On 24/10/21 10:06 am, Dr Paul Dale wrote:
defp = OSSL_PROVIDER_load(non_fips_libctx, "default");
There are several approaches you could take. With two library contexts:
fips_libctx = OSSL_LIB_CTX_new();
non_fips_libctx = OSSL_LIB_CTX_new();
fipsp = OSSL_PROVIDER_load(fips_libctx, "fips");
basep = OSSL_PROVIDER_load(fips_libctx,"base"); /* can't
One way to do what you want is with two config file, and and in the first line
of your main() function, add:
putenv(“OPENSSL_CONF=/path/to/your/conf”)
depending on whether you want to run in FIPS mode or not. Of course, this only
works if FIPS is needed application wide, not on a per
Quick aside: I know the 3.0 FIPS module is not "approved" yet, I'm just trying
to get my application updates done in advance.
I’m porting an application from OpenSSL 1.1.1, which was originally written for
OpenSSL 1.0.2, to OpenSSL 3.0. Going to 3.0, I need to incorporate FIPS usage.
Kory,
The situation is more complicated but your solution below is the one I'd
have suggested.
SP800-90B says bad things about /dev/random but this is modified by IG
7.14 indicates that it is okay to use /dev/random. Then IG 7.19 says
that it isn't. The current FIPS 140-2 validation
I think you've got the fist of the restriction. You cannot make any
changes to the source code, build files or the commands you use to build
the FOM. None are acceptable if you want a FIPS validate outcome. I.e.
you will lose the FIPS 140-2 validation state if you change anything.
Pauli
hi,
I develop my application and I need to use OpenSSL 1.0.2 with the OpenSSL
FIPS Object Module 2.0. I know that OpenSSL 3.0 was released, but
unfortunately I must use OpenSSL 1.0.2.
I have read OpenSSL FIPS Object Module 2.0 documentation and I have one
misunderstanding.
*"
On 23/09/2021 18:24, Zeke Evans wrote:
I noticed the OpenSSL FIPS Provider is not listed on the CMVP Modules
In Process List. Assuming this is the 3.0 FIPS module that was just
released. Nice work on getting to this point. Which platforms is the
module being validated on? I haven’t seen
I noticed the OpenSSL FIPS Provider is not listed on the CMVP Modules In
Process List. Assuming this is the 3.0 FIPS module that was just released.
Nice work on getting to this point. Which platforms is the module being
validated on? I haven't seen an official list if that was published
Adding that should be enough to force only FIPS validated algorithms are
used.
Just doing that isn't enough, there is more you are going to need to
do. E.g. you will need to load the FIPS and base providers either via
config or explicitly.
It's possible to set the default properties via
I have an OpenSSL app which performs ECDH-KAS using openssl-1.0.1g +
openssl-fips-2.0.5. It needs to be FIPS compatible. The app was written using
the low level ECDH functions similar to what is documented here:
https://wiki.openssl.org/index.php/Elliptic_Curve_Diffie_Hellman
On 2021-06-25 22:26, Richard Levitte wrote:
On Wed, 23 Jun 2021 10:51:05 +0200,
Tomas Mraz wrote:
On Wed, 2021-06-23 at 08:12 +, Kumar Mishra, Sanjeev wrote:
Notice: This e-mail together with any attachments may contain
information of Ribbon Communications Inc. and its Affiliates that is
On Wed, 23 Jun 2021 10:51:05 +0200,
Tomas Mraz wrote:
>
> On Wed, 2021-06-23 at 08:12 +, Kumar Mishra, Sanjeev wrote:
>
> > Notice: This e-mail together with any attachments may contain
> > information of Ribbon Communications Inc. and its Affiliates that is
> > confidential and/or
On Wed, 2021-06-23 at 08:12 +, Kumar Mishra, Sanjeev wrote:
> Hi,
>
> I am upgrading the code of OpenSSL 1.0 to 3.0. I am not getting some
> macros for FIPS example -
>
> FIPS_TEST_INTEGRITY
> FIPS_R_PAIRWISE_TEST_FAILED
> FIPS_R_DRBG_STUCK etc.
It is unclear what
Hi,
I am upgrading the code of OpenSSL 1.0 to 3.0. I am not getting some macros for
FIPS example -
FIPS_TEST_INTEGRITY
FIPS_R_PAIRWISE_TEST_FAILED
FIPS_R_DRBG_STUCK etc.
What is alternative of above macros ? How I work around this ? What header file
do I need to include for these macro
To be more specific, Please help me point out the API, which supports *RSA
186-4 key generation*.
Thanks,
Pramod.
On Tue, Jun 8, 2021 at 4:06 PM Illuri Pramod
wrote:
> Hello All,
>
> I am looking for options to support fips 186-4 in openssl 1.0.2. Oracle
> FOM based out of fips o
Hello All,
I am looking for options to support fips 186-4 in openssl 1.0.2. Oracle FOM
based out of fips object module (FOM) 2.0.13, which is available in public
domain, claims to have 186-4 support as per the documentation. However, I
didn't find the specific diff/API, which added this support
The 'fips' option is now disabled by default.
For the 'makedepend' option, several people raised concerns whether the
disadvantages of disabling it
wouldn't outweigh the performance gain at build time, see discussion in pull
request #15050.
So I decided to drop pull request, the 'makedepend
Just a short heads-up to all users testing and developing for OpenSSL 3.0:
The defaults for the configuration options 'fips' and 'makepend' are going to
change on the master branch soon
(i.e., before the release of 3.0.0 alpha16): they will be disabled by default.
If your developer workflow
> From: "Bhadri Madapusi"
>
> Is there any documentation on which version of openssl are supported
> on PPC LE. I am trying to figure out which version of 1.0.2 source
> and FIPS module to use to compile my nginx with openssl and FIPS. Thank
you.
Not documentation,
Hi,
Is there any documentation on which version of openssl are supported on
PPC LE. I am trying to figure out which version of 1.0.2 source and FIPS
module to use to compile my nginx with openssl and FIPS. Thank you.
regards,
Bhadri
Our general suggestion is to keep the FIPS configuration in it's own
file and include that -- this helps when updating.
Does a full path to the providers directory help?
Could you try a build with debugging symbols so it's possible to see
what's going on better?
Set a breakpoint
Hi All,
Can you kindly help me with this error while running the below program that
tries to load the configuration which has the FIPs provider?
The program is built on build machine and to be run on linux MIPS platform and
below error is seen:
#include
main () {
OSSL_LIB_CTX
1> Can you please help to understand the differences in the FIPs algorithm
implementation code vs default?
Are there additional validations performed in FIPs code?
There are some additional validations, there are other differences. Grep
the source code for FIPS_MODULE to find
Hi All,
This is a basic question regarding FIPs algorithm code in OpenSSL 3.0, can you
kindly let me know:
1> Can you please help to understand the differences in the FIPs algorithm
implementation code vs default?
Are there additional validations performed in FIPs code?
Can
.
With this compilation model, will it be feasible to integrate with the FIPs
object module in OpenSSL 3.0?
How can we load the FIPS provider in our application?
(I have gone through the section about the FIPs module installation in
https://wiki.openssl.org/index.php/OpenSSL_3.0#Platforms)
Any
Hi All,
We build the "crypto" code in OpenSSL to generate "libcrypto.a" for MIPs
platform.
Our application links statically with "libcrypto.a" and uses the OpenSSL crypto
API's accordingly.
With this compilation model, will it be feasible to integrate with the
> From: openssl-users On Behalf Of Nagarjun
> J
> Sent: Friday, 12 March, 2021 06:49
> How to be FIPS compliance with openssl-1.1.1j version , as does not have fips
> object module, is they any ways?
It's possible, in theory; it's even been done. But it's almost certainl
Hi,
How to be FIPS compliance with openssl-1.1.1j version , as does not have
fips object module, is they any ways?
Regards
Nagarjun
1 - 100 of 2806 matches
Mail list logo