Re: OpenSSL in FIPS mode, does FIPS mode provide any extra set of ciphersuites?
* >FIPS ciphers are a subset of the ciphers that OpenSSL supports. * Is this true of both OpenSSL 2.0 FIPS version and OpenSSL 3.0 FIPS version. (I suppose yes). But still your confirmation will be helpful. Yes it is true for both. * Also, current version is considered outdated, even before new version is ready. This is true. But you got it for free.
RE: OpenSSL in FIPS mode, does FIPS mode provide any extra set of ciphersuites?
Thanks for your answer, it clears up a path for me.Basically, when I build my code against OpenSSL library running with version 2.0 FIPS enabled, my code would work fine on systems running with same OpenSSL library version but non-fips mode. $> openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 >FIPS ciphers are a subset of the ciphers that OpenSSL supports. Is this true of both OpenSSL 2.0 FIPS version and OpenSSL 3.0 FIPS version. (I suppose yes). But still your confirmation will be helpful. Also, current version is considered outdated, even before new version is ready. Prashant - Original message -From: "Salz, Rich" To: Prashant Sharma31 , "openssl-users@openssl.org" , Mei-Mei Fu Cc:Subject: [EXTERNAL] Re: OpenSSL in FIPS mode, does FIPS mode provide any extra set of ciphersuites?Date: Thu, May 28, 2020 8:16 PM Are you asking about the current (outdated) 2.0 module or the 3.0 module that is still being developed? In 2.0, once you enter FIPS mode you cannot leave it. In 3.0 you can switch among FIPS and non-FIPS as you need to. See https://www.openssl.org/docs/OpenSSL300Design.html for a description of 3.0 FIPS ciphers are a subset of the ciphers that OpenSSL supports.
Re: OpenSSL in FIPS mode, does FIPS mode provide any extra set of ciphersuites?
Are you asking about the current (outdated) 2.0 module or the 3.0 module that is still being developed? In 2.0, once you enter FIPS mode you cannot leave it. In 3.0 you can switch among FIPS and non-FIPS as you need to. See https://www.openssl.org/docs/OpenSSL300Design.html for a description of 3.0 FIPS ciphers are a subset of the ciphers that OpenSSL supports.
Re: OpenSSL in FIPS mode, does FIPS mode provide any extra set of ciphersuites?
Reposting the email, as it was not delivered unless we are subscribed to the list. Thanks, Prashant - Original message -From: Prashant Sharma31/India/IBMTo: openssl-users@openssl.org, Mei-Mei Fu/Santa Teresa/IBM@IBMUSCc:Subject: OpenSSL in FIPS mode, does FIPS mode provide any extra set of ciphersuites?Date: Thu, May 28, 2020 10:28 AM Hi All, Greetings, I have a few questions regarding the usage of FIPS mode. Q. Is it possible to develop a piece of software that runs fine with FIPS mode enabled OpenSSL library and not when FIPS is not enabled? i.e. Does enabling FIPS mode brings an extra set of capabilities? Q. Or is it true that FIPS is simply a compliance, i.e. when FIPS is enabled - it imposes a restriction on what ciphersuites are available for an application developer to use? Thanks ! Prashant
