Hi all, I have a FIPS application based on openssl-fips 2.0.2 and openssl-1.0.1c. It worked fine a year ago and still works on most server platforms except one. The server model number has not change, but the cpu inside has changed from Intel Xeon E3-1220, Family 6 Model 42, sandy bridge, to E3-1220v2 Family 6 Model 58, ivy bridge.
The company who helped us developed the FIPS shared lib track the failure to fips_get_entropy(), but can't tell why it fails in the ivy bridge processor, but not in other older processors. They patched a known problem http://rt.openssl.org/Ticket/Display.html?id=2786&user=guest&pass=guest. That change bring us a step further but landed on FIPS_mode_set(1) fail with PRNG not seeded. Can anyone shed some light on why my application fail on server with the ivy bridge cpu? Perhaps another question is what do I have to do to seed PRNG? There is one more clue. My application previously initialized openssl in this order: 1. OpenSSL_add_all_algorithms() 2. FIPS_mode_set(1) I thought may be the order is wrong so switch them around. Well the application works, on E3-1220, on E3-1220v2 and all the other servers. Is this the correct sequence to initialize openssl-fips? If true, how come the wrong sequence does not fail on other processors? Thanks for help. sialnije
