Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

"FIPS mode not supported" on OpenSSL 1.1.1 #7582

Open
junaruga opened this issue Nov 7, 2018 · 13 comments

Comments

Projects
None yet
8 participants
@junaruga
Copy link

commented Nov 7, 2018

I got an message "FIPS mode not supported", when doing configuration on OpenSSL 1.1.1 with openssl-fips. Building with fips mode has not been supported from OpenSSL 1.1.1?

Related commit hash: b53338c

$ ./config fips shared \
>   --prefix=/usr/local/openssl-1.1.1-fips \
>   --with-fipsdir=/usr/local/openssl-fips-2.0.16
Operating system: x86_64-whatever-linux2


Failure!  build file wasn't produced.
Please read INSTALL and associated NOTES files.  You may also have to look over
your available compiler tool chain or change your configuration.

FIPS mode not supported
$ ./Configure \
>   fips \
>   --prefix=/usr/local/openssl-1.1.1-fips \
>   --with-fipsdir=/usr/local/openssl-fips-2.0.16

Failure!  build file wasn't produced.
Please read INSTALL and associated NOTES files.  You may also have to look over
your available compiler tool chain or change your configuration.

FIPS mode not supported
@richsalz

This comment has been minimized.

Copy link
Contributor

commented Nov 7, 2018

Correct, the current FIPS module only works with 1.0.2

The project is starting work on a new FIPS module which will be included in the next release.

@junaruga

This comment has been minimized.

Copy link
Author

commented Nov 7, 2018

@richsalz Sure, thanks for the info.
I wish this ticket will be kept without closing until "a new FIPS module which will be included in the next release".

@StephenWall

This comment has been minimized.

Copy link

commented Jan 30, 2019

Where is this work taking place? It would be nice to see the progress in a branch on github.

@mattcaswell

This comment has been minimized.

Copy link
Member

commented Jan 30, 2019

There's no code yet - a lot of design work has been going on. We expect to publish that very soon.

@quanah

This comment has been minimized.

Copy link
Contributor

commented May 30, 2019

I have a customer who claims to have a FIPS 140-2 module (from some private company?) that works with the OpenSSL 1.1.1 series. This requires patching OpenSSL 1.1.1 to re-enable FIPS mode. Is this not a valid reason for OpenSSL 1.1.1 to allow FIPS mode?

@levitte

This comment has been minimized.

Copy link
Member

commented May 31, 2019

We have no knowledge of that FIPS module and how it works, so that's kinda hard...

@mspncp

This comment has been minimized.

Copy link
Contributor

commented May 31, 2019

Some linux distributions do their own FIPS validations which encompass OpenSSL among others. RHEL has one, and Ubuntu did one recently. AFAIK, they are based on 1.1.1, but I'm not sure.

@mspncp

This comment has been minimized.

Copy link
Contributor

commented May 31, 2019

(A quick search yields that Ubuntu's validation might to be based on 1.0.2)

@levitte

This comment has been minimized.

Copy link
Member

commented May 31, 2019

If that is the case, then they've made an incompatible mod. And sure, they're free to do so...

@t-j-h

This comment has been minimized.

Copy link
Member

commented May 31, 2019

@quanah you should ask which certificate number matches the validation being used as that will provide details at least of what is being claimed.

@quanah

This comment has been minimized.

Copy link
Contributor

commented May 31, 2019

@quanah you should ask which certificate number matches the validation being used as that will provide details at least of what is being claimed.

All I need on my end of things is to be able to enable FIPS mode, so they can drop their module in. It's not on me to ensure that their module even works, that's between them and their supplier. But since you can't enable FIPS mode in 1.1.1, that's somewhat problematic.

@t-j-h

This comment has been minimized.

Copy link
Member

commented May 31, 2019

It's not that simple. The code to support redirection for FIPS usage was removed. It isn't just a mode change - it is hundreds of hooks to redirect and rename symbols. I doubt that anyone has actually ported those back into the code base for 1.1 at all.

@quanah

This comment has been minimized.

Copy link
Contributor

commented May 31, 2019

Thanks @t-j-h ! I've been rather skeptical of this entire bit they want to do from the get-go.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.