Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
OpenSSL: Report -fips in version if OpenSSL is built with FIPS #3771
Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS
Reported-by: Ricky Leverence Jr
Doesn't appear so. 1.1.1 doesn't seem to support it at all, given this line in their 1.1.1 stable branch:
On the 1.1.0 branch, you'll see the
So.. long answer short, it shouldn't do
Older versions of OpenSSL report FIPS availabilty via an OPENSSL_FIPS define. It uses this define to determine whether to publish -fips at the end of the version displayed. Applications that utilize the version reported by OpenSSL will see a mismatch if they compare it to what curl reports, as curl is not modifying the version in the same way. This change simply adds a check to see if OPENSSL_FIPS is defined, and will alter the reported version to match what OpenSSL itself provides. This only appears to be applicable in versions of OpenSSL <1.1.1 Reported-by: Ricky Leverence Jr
OpenSSL 1.1.0 does not have FIPS support either. See the end of https://www.openssl.org/blog/blog/2018/09/25/fips/
The upcoming OpenSSL 3.0.0 will be the first version that will have FIPS support:
But the patch is good to go.
@Jan-E Thanks for verifying the patch is good. Can you clarify what you mean by OpenSSL not having FIPS support presently? The effort your links are referring to seem to be the effort to build the next generation FIPS module.
Are you saying that you believe that existing builds of OpenSSL don't report -fips if it has the existing FIPS 140-2 validated cryptographic module, the OpenSSL FIPS Object Module 2.0?
There is existing FIPS support here that works with OpenSSL 1.0.1 and 1.0.2.
We are running into this issue presently with a combination of open source packages, so I don't want it to seem like this patch isn't valuable until OpenSSL 3.0.