Migration from 1.1.1 to 3.x

262 views
Skip to first unread message

Mody, Darshan Arvindkumar (Darshan)

unread,
Jun 2, 2025, 12:28:45 AM6/2/25
to openss...@openssl.org

Hi

 

We are migrating from 1.1.1 to 3.x openssl. We also need to support FIPs cipher and FIPs mode.

 

My question is do we need to use the API the OSSL_PROVIDER_load. If we directly EVP_default_properties_enable_fips what are the implications.

 

Thanks and Regards

Darshan

 

 

G Prathap

unread,
Jun 2, 2025, 1:03:49 AM6/2/25
to Mody, Darshan Arvindkumar (Darshan), openss...@openssl.org
Hi Darshan,

Yes, you should use OSSL_PROVIDER_load() to explicitly load the FIPS provider.

EVP_default_properties_enable_fips() alone is not sufficient to enable FIPS mode unless the FIPS provider is already loaded.

Implications of skipping OSSL_PROVIDER_load():

If the FIPS provider is not already loaded via configuration (e.g., through openssl.cnf), then EVP_default_properties_enable_fips() will silently fail to enable FIPS mode.

This may lead to non-FIPS algorithms being used unintentionally.

Thanks & Regards 
Prathap G

--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/PH0PR15MB4526934B9B0CE1696B7785EEA762A%40PH0PR15MB4526.namprd15.prod.outlook.com.

madhu bajpai

unread,
Jun 2, 2025, 2:07:14 AM6/2/25
to G Prathap, Mody, Darshan Arvindkumar (Darshan), openss...@openssl.org

Hi Darshan,


Need an additional clarification on:


OSSL_PROVIDER_load(NULL, "fips");

EVP_set_default_properties(NULL, "fips=yes");


Are above two functions adequate for FIPS compliance or if we need additional changes? Like APIs to explicitly mention "fips=yes” e.g. EVP_MD_fetch(NULL, "SHA2-256", "fips=yes");

Is there any reference checklist to ensure FIPS compliance? 

We have recently built FIPS module for iOS and since we had to generate the install-mac at runtime, had to enable default provider via openssl.cnf. Should be disable it for any accidental fallback?

Regards,
Madhu

Viktor Dukhovni

unread,
Jun 2, 2025, 2:34:09 AM6/2/25
to openss...@openssl.org
On Mon, Jun 02, 2025 at 11:36:49AM +0530, madhu bajpai wrote:

> Need an additional clarification on:
>
> OSSL_PROVIDER_load(NULL, "fips"); EVP_set_default_properties(NULL,
> "fips=yes");
>
> Are above two functions adequate for FIPS compliance or if we need
> additional changes? Like APIs to explicitly mention "fips=yes” e.g.
> EVP_MD_fetch(NULL, "SHA2-256", "fips=yes");
>
> Is there any reference checklist to ensure FIPS compliance?
>
> We have recently built FIPS module for iOS and since we had to
> generate the install-mac at runtime, had to enable default provider
> via openssl.cnf. Should be disable it for any accidental fallback?

Quoting README-FIPS.md:

https://github.com/openssl/openssl/blob/master/README-FIPS.md

If you need a FIPS validated module then you must ONLY generate a
FIPS provider using OpenSSL versions that have valid FIPS
certificates. A FIPS certificate contains a link to a Security
Policy, and you MUST follow the instructions in the Security Policy
in order to be FIPS compliant.

The security policy for the 3.0 module:

https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4282

Can be found in:

https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4282.pdf

You may want to consider the 3.1 (FIPS 140-3)module:

https://csrc.nist.gov/projects/cryptographic-module-validation-program/certificate/4985

https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp4985.pdf

Any informal answers you get on this list are unauthoritative and should
nto be used as a basis for deciding whether your deployment is
FIPS-compliant.

--
Viktor.

Mody, Darshan Arvindkumar (Darshan)

unread,
Jun 2, 2025, 4:34:21 AM6/2/25
to openss...@openssl.org

Thanks for the response.

 

However the original question remains unanswered. Can you help me understand whether we need to use both OSSL_PROVIDER_load(NULL, "fips"); EVP_default_properties_enable_fips

If we directly use the EVP_default_properties_enable_fips will FIPS be enabled.
 
Warm Regards
Darshan

 

From: openss...@openssl.org <openss...@openssl.org> On Behalf Of Viktor Dukhovni
Sent: Monday, June 2, 2025 12:04 PM
To: openss...@openssl.org
Subject: [External]Re: Migration from 1.1.1 to 3.x

 

[External Sender]

On Mon, Jun 02, 2025 at 11:36:49AM +0530, madhu bajpai wrote: > Need an additional clarification on: > > OSSL_PROVIDER_load(NULL, "fips"); EVP_set_default_properties(NULL, > "fips=yes"); > > Are above two functions adequate

On Mon, Jun 02, 2025 at 11:36:49AM +0530, madhu bajpai wrote:
 
> Need an additional clarification on:
> 
> OSSL_PROVIDER_load(NULL, "fips"); EVP_set_default_properties(NULL,
> "fips=yes");
> 
> Are above two functions adequate for FIPS compliance or if we need
> additional changes? Like APIs to explicitly mention "fips=yes” e.g.
> EVP_MD_fetch(NULL, "SHA2-256", "fips=yes");
> 
> Is there any reference checklist to ensure FIPS compliance? 
> 
> We have recently built FIPS module for iOS and since we had to
> generate the install-mac at runtime, had to enable default provider
> via openssl.cnf. Should be disable it for any accidental fallback?
 
Quoting README-FIPS.md:
 
 
    If you need a FIPS validated module then you must ONLY generate a
    FIPS provider using OpenSSL versions that have valid FIPS
    certificates. A FIPS certificate contains a link to a Security
    Policy, and you MUST follow the instructions in the Security Policy
    in order to be FIPS compliant.
 
The security policy for the 3.0 module:
 
 
You may want to consider the 3.1 (FIPS 140-3)module:
 
 
Any informal answers you get on this list are unauthoritative and should
nto be used as a basis for deciding whether your deployment is
FIPS-compliant.
 
-- 
    Viktor.
 
-- 
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.

Tomas Mraz

unread,
Jun 2, 2025, 4:51:44 AM6/2/25
to Mody, Darshan Arvindkumar (Darshan), openss...@openssl.org
Please read this manual page. It should explain how loading the fips
provider and changing the default properties to enforce the fips
property relate.

https://docs.openssl.org/master/man7/fips_module/

Tomas Mraz, Public Support and Security Manager, OpenSSL Foundation

On Mon, 2025-06-02 at 08:34 +0000, Mody, Darshan Arvindkumar (Darshan)
wrote:
> https://groups.google.com/a/openssl.org/d/msgid/openssl-users/PH0PR15MB45266050072403C60BA026C3A762A%40PH0PR15MB4526.namprd15.prod.outlook.com
> .

--
Tomáš Mráz, Public Support and Security Manager, OpenSSL Foundation
Join the Code Protectors or support us on Github Sponsors
https://openssl-foundation.org/donate/

Wall, Stephen

unread,
Jun 2, 2025, 7:43:29 AM6/2/25
to openss...@openssl.org

You may enable FIPS system wide without writing any special code by using the openssl.conf configuration file.  If you explicitly enable the fips and base providers, and do not enable the default provider, all openssl cryptographic operations are done in FIPS mode.  For example:

 

.include /path/to/your/fipsmodule.cnf

 

[openssl_init]

providers = provider_sect

alg_section = algorithm_sect

 

# List of providers to load

[provider_sect]

# default = default_sect

# The fips section name should match the section name inside the

# included fipsmodule.cnf.

fips = fips_sect

base = base_sect

 

[base_sect]

activate = 1

--

You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.

The Doctor

unread,
Jun 2, 2025, 8:06:09 AM6/2/25
to Mody, Darshan Arvindkumar (Darshan), openss...@openssl.org
On which OS are you doing this?

>
> --
> You received this message because you are subscribed to the Google Groups "openssl-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
> To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/PH0PR15MB4526934B9B0CE1696B7785EEA762A%40PH0PR15MB4526.namprd15.prod.outlook.com.

--
Member - Liberal International This is doc...@nk.ca Ici doc...@nk.ca
Yahweh, King & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism ;
Australia -Save the Nation from Donald Trump - Vote out Albanese!

Mody, Darshan Arvindkumar (Darshan)

unread,
Jun 2, 2025, 11:02:34 AM6/2/25
to The Doctor, openss...@openssl.org

 

We are doing this in RHEL 9.4. My understanding is RHEL itself will be providing the FIPS module

 

Thanks and Regards

Darshan

 

From: The Doctor <doc...@doctor.nl2k.ab.ca>
Sent: Monday, June 2, 2025 5:35 PM
To: Mody, Darshan Arvindkumar (Darshan) <darsh...@avaya.com>
Cc: openss...@openssl.org
Subject: [External]Re: Migration from 1.1.1 to 3.x

 

[External Sender]

On Mon, Jun 02, 2025 at 04:28:33AM +0000, Mody, Darshan Arvindkumar (Darshan) wrote: > Hi > > We are migrating from 1.1.1 to 3.x openssl. We also need to support FIPs cipher and FIPs mode. > > My question is do we need to use

On Mon, Jun 02, 2025 at 04:28:33AM +0000, Mody, Darshan Arvindkumar (Darshan) wrote:
> Hi
> 
> We are migrating from 1.1.1 to 3.x openssl. We also need to support FIPs cipher and FIPs mode.
> 
> My question is do we need to use the API the OSSL_PROVIDER_load. If we directly EVP_default_properties_enable_fips what are the implications.
> 
> Thanks and Regards
> Darshan
> 
 
On which OS are you doing this?
 
> 
> -- 
> You received this message because you are subscribed to the Google Groups "openssl-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.

Alicja Kario

unread,
Jun 4, 2025, 9:23:11 AM6/4/25
to Mody, Darshan Arvindkumar (Darshan), openss...@openssl.org
For the FIPS module in RHEL to be working in approved configuration, the
whole
system needs to be switched to FIPS mode. When that is done, the OpenSSL in
RHEL will automatically load the fips.so provider and change the default
properties to use it automatically.

As long as the application doesn't override the default property query, it
will end up using FIPS certified implementations then.

On Monday, 2 June 2025 16:59:10 CEST, Mody, Darshan Arvindkumar (Darshan)
Regards,
Alicja Kario
Principal Quality Engineer, RHEL Crypto team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00, Brno, Czech Republic

Mody, Darshan Arvindkumar (Darshan)

unread,
Jun 5, 2025, 2:42:20 AM6/5/25
to Alicja Kario, openss...@openssl.org

Thanks for the response.

 

With RHEL do we need to make additional changes to the openssl.cnf file?

 

Thanks and Regards

Darshan

 

From: Alicja Kario <hka...@redhat.com>

Sent: Wednesday, June 4, 2025 6:53 PM
To: Mody, Darshan Arvindkumar (Darshan) <darsh...@avaya.com>
Cc: openss...@openssl.org

Subject: Re: [External] Migration from 1.1.1 to 3.x

 

For the FIPS module in RHEL to be working in approved configuration, the whole system needs to be switched to FIPS mode. When that is done, the OpenSSL in RHEL will automatically load the fips.so provider and change the default properties to

Reply all
Reply to author
Forward
0 new messages