Re: Static OpenSSL 3 library with FIPS
On 25/03/2022 20:59, Paul Spencer wrote: Thanks for the info. You mean both libssl.a and libcrypto.a static, and then dynamically loaded fips.so, correct? Yes. Unfortunately that gets away from the single-binary-executable model and so is a somewhat major change. Yes. As noted this was a deliberate day 1 design decision. Matt -Original Message- *From*: Matt Caswell <mailto:matt%20caswell%20%3cm...@openssl.org%3e>> *To*: openssl-users@openssl.org <mailto:openssl-users@openssl.org> *Subject*: [EXTERNAL] Re: Static OpenSSL 3 library with FIPS *Date*: Fri, 25 Mar 2022 20:22:02 + On 25/03/2022 18:33, Paul Spencer wrote: Q: Is it possible to have a static (.a) OpenSSL 3 library with FIPS support? This was possible with OpenSSL 1.0.2 and the FIPS 2.0.x module (and special linking in the Makefile). However, with SSL3, if I go Configure no-module enable-fips then it silently disables FIPS. Is there any way to do this? You can have a static libcrypto (.a) with a dynamically loaded FIPS module (i.e. using fips.so). Configure no-shared enable-fips You cannot have a statically linked FIPS module. It was a day 1 design decision that we would no longer support this. Matt
RE: Static OpenSSL 3 library with FIPS
Thanks for the info. You mean both libssl.a and libcrypto.a static, and then dynamically loaded fips.so, correct? Unfortunately that gets away from the single-binary-executable model and so is a somewhat major change. -Original Message- From: Matt Caswell mailto:matt%20caswell%20%3cm...@openssl.org%3e>> To: openssl-users@openssl.org<mailto:openssl-users@openssl.org> Subject: [EXTERNAL] Re: Static OpenSSL 3 library with FIPS Date: Fri, 25 Mar 2022 20:22:02 + On 25/03/2022 18:33, Paul Spencer wrote: Q: Is it possible to have a static (.a) OpenSSL 3 library with FIPS support? This was possible with OpenSSL 1.0.2 and the FIPS 2.0.x module (and special linking in the Makefile). However, with SSL3, if I go Configure no-module enable-fips then it silently disables FIPS. Is there any way to do this? You can have a static libcrypto (.a) with a dynamically loaded FIPS module (i.e. using fips.so). Configure no-shared enable-fips You cannot have a statically linked FIPS module. It was a day 1 design decision that we would no longer support this. Matt
Re: Static OpenSSL 3 library with FIPS
On 25/03/2022 18:33, Paul Spencer wrote: Q: Is it possible to have a static (.a) OpenSSL 3 library with FIPS support? This was possible with OpenSSL 1.0.2 and the FIPS 2.0.x module (and special linking in the Makefile). However, with SSL3, if I go Configure no-module enable-fips then it silently disables FIPS. Is there any way to do this? You can have a static libcrypto (.a) with a dynamically loaded FIPS module (i.e. using fips.so). Configure no-shared enable-fips You cannot have a statically linked FIPS module. It was a day 1 design decision that we would no longer support this. Matt
Static OpenSSL 3 library with FIPS
Q: Is it possible to have a static (.a) OpenSSL 3 library with FIPS support? This was possible with OpenSSL 1.0.2 and the FIPS 2.0.x module (and special linking in the Makefile). However, with SSL3, if I go Configure no-module enable-fips then it silently disables FIPS. Is there any way to do this?
