Hi folks, I have dynamically linked a FIPS capable OpenSSL library (libcrypto.so and libssl.so) into my product's build, but still get a "fingerprint does not match" error when I call FIPS_mode_set(1). This is using a validated copy of FIPS 2.0 source and OpenSSL 1.0.1c.
The full error is: 25892:error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not match:fips.c:489: During the build on a build machine, I execute the following -- for fips, ./config make make install (with an install prefix) for openssl, ./config fips -d shared --with-fipsdir={.../usr/local/ssl/fips-2.0} --prefix= {...} make ... -I{fips include directory} depend make ... -I{fips include directory} make install Everything appears to go well. fipscanister.o is generated, openssl is able to find it, and libcrypto.so has similar fingerprint text as fipscanister.o after doing an objdump on both of them. libssl.so and libcrypto.so get linked in with the product source and put into an rpm. The rpm is installed and executed on a different machine from building that does not have openssl or fips installed. In the initialization sequence that calls FIPS_mode_set, I'm including openssl/crypto.h and openssl/err.h. Unfortunately, even after all of this, FIPS_mode_set is unhappy and returns the fingerprint does not match error. It is my understanding that if I'm not statically linking openssl, I should not need to use fipsld. I'm also not making use of fips_standalone_sha1 anywhere. So what are the digests that actually need to be compared for fips to be validated in a dynamic linking such as this? Is there a step I'm missing to generate and/or install them? ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org