some extra tips.
you need essentially need 3 things for FIPS:
1. build FIPS capable OpenSSL2. do correct linking (you need to run special
script, which will inject FIPS fingerprint - all described in the FIPS user
guide)3. call FIPS_mode_set() in your applicаtion (not in Curl! )
if you miss step (2), your step (3) will fail.
On Wednesday, 31 July 2019, 04:26:03 GMT-4, Max Dymond via curl-library
<curl-library@cool.haxx.se> wrote:
> > Can you please help me with the following question?
> >
> > How do I use libcurl in FIPS mode?
> libcurl has no special provisions for FIPS. If any source code changes or
> function invokes are necessary, you need to make them.
> OpenSSL FIPS support seems to only exist in the outdated 1.0.2 version and
> according to https://www.openssl.org/docs/fips/UserGuide-2.0.pdf just linking
> with a FIPS OpenSSL 1.0.2 is not enough. It then also needs FIPS_mode_set()
> to be called. (That's a 225 page document and I only skimmed it very casually
> so I'm far from being knowledgable in this area.)
If you set the kernel command line parameter to "fips=1" on Centos (possibly
other OSes) then FIPS_mode_set() gets enabled in OpenSSL automatically at start
of day; see docs:
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard
https://docs.oracle.com/cd/E37670_01/E36387/html/section_bj5_szv_wp.html
If this isn't a viable solution, then you can also link to OpenSSL and call
FIPS_mode_set() within your application before using curl.
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html -------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
