Hi,
I'm trying to do various FIPS tests for libreswan. Our testing system using KVM is a little tricky to selectively boot with fips=1, so I did some scripting to get everything into faked FIPS mode. It basically comes down to first running a script that: - creates /etc/system-fips - disable selinux (for next step) - fake /proc/sys/crypto/fips_enabled by echo "1" > /tmp/fips_enabled mount --bind /tmp/fips_enabled /proc/sys/crypto/fips_enabled - running modutil: /usr/bin/modutil -dbdir /etc/ipsec.d -fips true -force /usr/bin/modutil -dbdir /etc/ipsec.d -chkfips true (which DOES output: (FIPS mode enabled.") - starting libreswan via systemctl start ipsec.service libreswan, which has its own checks for /proc/sys/crypto/fips_enabled and /etc/system-fips confirms it is in FIPS mode. But somehow, the NSS library is still not in FIPS mode. I suspect the dance through systemd might cause this? Do some environment variables get set and lost? Is there a way to export some environment variables to force NSS harder? Paul -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
