[openssl-users] How do I verify the FIPS mode

[cloud force]

Hi everyone,

I built and installed the FIPS capable OpenSSL lib on my system, and I was wondering what's the easiest way to find out whether my OpenSSL is really FIPS capable or not.

e.g. is there any way to run some openssl commands to find out, such as "openssl ciphers -v", and what cipher suite should definitely not show up in FIPS mode.

Thanks,

Rich

[Lesley Kimmel]

I think you can run 'OPENSSL_FIPS=1 openssl ciphers -v'. I believe that if, FIPS is compiled in properly you should get output. Otherwise an error should occur.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Lesley Kimmel]

Actuall, I may have steered you wrong. It appears that OPENSSL_FIPS may have no affect against a non-FIPS enabled OpenSSL. According to some posts you can do 'OPENSSL_FIPS=1 openssl md5' which should return an error as md5 is not an enabled cipher in FIPS mode.

[Steve Marquess]

On 02/10/2016 02:56 PM, Lesley Kimmel wrote:
> Actuall, I may have steered you wrong. It appears that OPENSSL_FIPS may
> have no affect against a non-FIPS enabled OpenSSL. According to some
> posts you can do 'OPENSSL_FIPS=1 openssl md5' which should return an
> error as md5 is not an enabled cipher in FIPS mode.

It depends on the version. Recent versions of OpenSSL will give a "FIPS
mode not supported" error for

env OPENSSL_FIPS=1 openssl md5 ...

Whereas that command for a properly built FIPS-enabled OpenSSL will give
a "not permitted in FIPS mode" error.

-Steve M.

--
Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marq...@openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

[cloud force]

Thanks Lesley and Steve for the answers.

Rich