/proc/sys/crypto/fips_enabled=1 is this enough to make OpenSSL to change its mode to FIPS?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

/proc/sys/crypto/fips_enabled=1 is this enough to make OpenSSL to change its mode to FIPS?

Hareesh Joshi
Hi,

I've a CentOS machine with 
   1. FIPS capable OpenSSL module installed
   2. Kernel switched to FIPS with /proc/sys/crypto/fips_enabled=1

Will this make OpenSSL to switch to FIPS mode as well? Or do I necessarily need to use OPENSSL_FIPS=1 ?



Thank you,
-Hareesh Joshi

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: /proc/sys/crypto/fips_enabled=1 is this enough to make OpenSSL to change its mode to FIPS?

Steve Marquess-4
On 05/12/2017 05:17 PM, Hareesh Joshi wrote:
> Hi,
>
> I've a CentOS machine with
>    1. FIPS capable OpenSSL module installed
>    2. Kernel switched to FIPS with /proc/sys/crypto/fips_enabled=1
>
> Will this make OpenSSL to switch to FIPS mode as well? Or do I
> necessarily need to use OPENSSL_FIPS=1 ?
>

OpenSSL and the OpenSSL FIPS Object Module ignore
/proc/sys/crypto/fips_enabled, that is presumably used by the Red Hat
modified version of OpenSSL.  You'll need to check with them about how
that behaves.

For a genuine FIPS capable OpenSSL you want to use FIPS_mode_set(); see
the FIPS module user guide at
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf and/or the wiki at
https://wiki.openssl.org/.

-Steve M.

--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
USA
+1 301 874 2571
[hidden email]
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users