openssl: "FIPS mode not supported" on OpenSSL 1.1.1
I got an message “FIPS mode not supported”, when doing configuration on OpenSSL 1.1.1 with openssl-fips. Building with fips mode has not been supported from OpenSSL 1.1.1?
Related commit hash: https://github.com/openssl/openssl/commit/b53338cbf8822dd774f9e4057307f347d2b63ff0
$ ./config fips shared \
> --prefix=/usr/local/openssl-1.1.1-fips \
> --with-fipsdir=/usr/local/openssl-fips-2.0.16
Operating system: x86_64-whatever-linux2
Failure! build file wasn't produced.
Please read INSTALL and associated NOTES files. You may also have to look over
your available compiler tool chain or change your configuration.
FIPS mode not supported
$ ./Configure \
> fips \
> --prefix=/usr/local/openssl-1.1.1-fips \
> --with-fipsdir=/usr/local/openssl-fips-2.0.16
Failure! build file wasn't produced.
Please read INSTALL and associated NOTES files. You may also have to look over
your available compiler tool chain or change your configuration.
FIPS mode not supported
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Comments: 25 (18 by maintainers)
There’s no code yet - a lot of design work has been going on. We expect to publish that very soon.
You can close your own issues, too 😃
The next release of OpenSSL is 3.0 and will include the FIPS module. All of this work is being done in the open on GitHub in the “master” branch. There will not be a FIPS module for the 1.1.1 release.
It’s not that simple. The code to support redirection for FIPS usage was removed. It isn’t just a mode change - it is hundreds of hooks to redirect and rename symbols. I doubt that anyone has actually ported those back into the code base for 1.1 at all.
@quanah you should ask which certificate number matches the validation being used as that will provide details at least of what is being claimed.
Correct, the current FIPS module only works with 1.0.2
The project is starting work on a new FIPS module which will be included in the next release.