programmatic way of generating fipsmodule.cnf using statically linked openssl #21703
Replies: 3 comments 14 replies
-
The only way to get a FIPS compliant outcome, is to exactly follow the instructions in appendix A of the security policy. That said, what's required is in the fipsinstall command. In boils down to generating a checksum of the It would also be possible to statically build the |
Beta Was this translation helpful? Give feedback.
-
No, it can be done by installation script but it needs to do the things exactly as specified by the security policy if you want to be fips compliant by the letter. You should however consult all FIPS compliance related questions with a FIPS validation lab, we cannot provide you authoritative answers. For example fipsmodule.cnf without the install checksum means the FIPS module will perform the self tests on each start up so in the sense of compliance of FIPS module operational requirements this is compliant, but you would not be compliant with the security policy letter. |
Beta Was this translation helpful? Give feedback.
-
The command as specified in the security policy does not have to be executed manually. It can be executed by a script - shell script or from another application. What @mattcaswell said that wouldn't be fips compliant by letter is to do the same that the |
Beta Was this translation helpful? Give feedback.
-
We used statically linked openssl libs in our code and we provide user option to turn on fips mode.
Is it possible to programmatically generate the fipsmodule.cnf file using statically linked OpenSSL in our code, for users who have enabled FIPS mode in our app? If so, how can we do this?
The current process for generating the fipsmodule.cnf file is to run the openssl fipsinstall command on the user's machine. However, this requires shipping the OpenSSL DLL with our app, which can be inconvenient and unnecessary. If we could programmatically generate the fipsmodule.cnf file using statically linked OpenSSL, we would avoid this problem.
So, the question is: is it possible to do this? And if so, how?
Beta Was this translation helpful? Give feedback.
All reactions