> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of murugesh pitchaiah
>
> On 3/6/18, Ken Goldman <kgold...@us.ibm.com> wrote:
> > This call fails on two platforms with:
> >
> > fips.c(143): OpenSSL internal error, assertion failed: FATAL FIPS
> > SELFTEST FAILURE
> 
> On invoking FIPS_mode_set(1), the self test would be run internally
> first. The test would be run for all modules like dsa, rsa, rng, etc.
> This error indicates a failure in any of these self test run.

Also note that the OpenSSL FIPS validations are for specific platforms. OpenSSL 
FIPS has not been validated on every platform that OpenSSL can be built on 
(that would be infeasible). The FIPS 140-2 Level 1 self-test is sensitive to 
build and load conditions, so it's entirely possible that it fails on some 
platforms where the work hasn't been done to get the FIPS container to the 
state where it will pass validation. At least that's my understanding; I'm not 
a FIPS 140 expert.

In any case, if OpenSSL doesn't have an active FIPS 140-2 validation for the 
"two platforms" Ken mentioned, then there's not much point in getting the 
self-test to pass. Even in FIPS mode OpenSSL won't be FIPS-validated on that 
platform and products using it can't claim they have FIPS-validated 
cryptography.

That said, I know some developers and customers want "FIPS mode" even when 
there is no FIPS validation, sometimes to suppress algorithms they don't want 
used, and sometimes just to check a tickbox. While I don't approve (FIPS 140-2 
is badly outdated and ill-suited to software implementations, and a distraction 
from real security), this is sometimes a requirement.

-- 
Michael Wojcik 
Distinguished Engineer, Micro Focus 


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to