Re: How to test a build of the FIPS provider

104 views
Skip to first unread message

Kenneth Goldman

unread,
Mar 26, 2026, 2:51:19 PMMar 26
to openss...@openssl.org

Getting back to this, I followed the instructions below.

> openssl list -providers
Providers:
  base
    name: OpenSSL Base Provider
    version: 3.6.1
    status: active
  fips
    name: OpenSSL FIPS Provider
    version: 3.6.1
    status: active

How do I ensure that the program uses the fips module? I try:

    provider = OSSL_PROVIDER_load(NULL, "fips");
    irc = EVP_set_default_properties(NULL, "provider=fips");
    sha = EVP_MD_fetch(NULL, HASHALG, "fips=yes");
    sha = EVP_MD_fetch(NULL, HASHALG, "provider=fips");

All of these seem successful, but this NULL is also successful, so
how do ensure that the fips module is being used?

    sha = EVP_MD_fetch(NULL, HASHALG, NULL);

Even though I have a base provider (see above), base fails, with
or without the OSSL_PROVIDER_load() or OSSL_PROVIDER_load() calls.

    sha = EVP_MD_fetch(NULL, HASHALG, "provider=base");



On 1/28/2026 6:26 PM, Ken Goldman wrote:

On 1/19/2026 6:49 PM, Ken Goldman wrote:

Fedora 42, x86 - I built openssl 3.6.1 with enable-fips and got fips.so

I'd like to test it locally, as non-root, but not install it in the system area. Are there instructions for this?

I want to test the EVP API, not TLS or the command line.


For the record, here are working instructions, creating
a fips build in myopenssl:

./config -shared --prefix=/home/kgold/myopenssl --libdir=lib -- openssldir=/home/kgold/myopenssl -Wl,-rpath,$HOME/myopenssl/lib --debug zlib enable-fips
make
     creates
     ./providers/libfips.a
     ./providers/fips.so
make install
     installs to myopenssl directory
make test
make install_fips
     creates
     /home/kgold/myopenssl/lib/ossl-modules/fips.so
     /home/kgold/myopenssl/fipsmodule.cnf

openssl.cnf
     add
         .pragma includedir:/home/myopenssl/
     uncomment
         .include fipsmodule.cnf
     comment
         #default = default_sect
     add
         base = default_sect
         fips = fips_sect
     in default_sect, uncomment
         activate = 1

fipsmodule.cnf
     add
         module = /home/myopenssl/lib/ossl-modules/fips.so

LNFLAGS += -L/home/myopenssl/lib -Wl,-rpath=/home/myopenssl/lib -lcrypto

Test with
     openssl list -providers

Providers:
   base
     name: OpenSSL Base Provider
     version: 3.6.1
     status: active
   fips
     name: OpenSSL FIPS Provider
     version: 3.6.1
     status: active



--

Work 1-914-945-2415


Ronny Kiel

unread,
Mar 26, 2026, 2:53:49 PMMar 26
to Kenneth Goldman, openss...@openssl.org
Okaay

LargePrefPlaceholder-XKUz1MEJBwkOM

--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/SJ0PR15MB52787DE3EDD3BFEAA9D17D81F256A%40SJ0PR15MB5278.namprd15.prod.outlook.com.
Reply all
Reply to author
Forward
0 new messages