'Re: command 'openssl ciphers -v -provider fips' shows not complain algorithms'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    Re: command 'openssl ciphers -v -provider fips' shows not complain algorithms
From:       Matt Caswell <matt () openssl ! org>
Date:       2022-01-26 12:40:13
Message-ID: f80fc5c4-5d73-1191-feb4-44e12542cf8e () openssl ! org
[Download RAW message or body]



On 26/01/2022 11:27, Jan Lana wrote:
> Hi,
> 
> When I run
> openssl ciphers -v -provider fips | grep TLS_CHACHA20_POLY1305_SHA256
> 
> it shows this non complain cipher is available.

This looks correct behaviour to me. Your openssl.cnf file is explicitly 
activating the default provider. The "-provider" option is additive. 
Since your config file activates the default provider, you end up with 
both the default and fips providers active.

> To add '-propquery 
> fips=yes' argument does not help. IMHO it is not correct behavior.

This is a bug. Fix here:

https://github.com/openssl/openssl/pull/17595


Matt

> 
> 
> I have the default and fips providers enabled in openssl.cnf:
> 
> openssl_conf = openssl_init
> 
> .include /usr/local/ssl/fipsmodule.cnf
> 
> [openssl_init]
> providers = provider_sect
> 
> [provider_sect]
> fips = fips_sect
> default = default_sect
> 
> [default_sect]
> activate = 1
> 
> 
> For testing I use docker.io/salrashid123/openssl:fips image with 
> modified /usr/local/ssl/openssl.cnf.
> 
> When I add 'alg_section = algorithm_sect' to [openssl_init] section 
> defined as follows:
> 
> [algorithm_sect]
> default_properties = fips=yes
> 
> the command 'openssl cipher -v' shows just fips compliant ciphers.
> 
> I found it when I try to build stunnel 5.62 and one of their test fails. 
> The test uses OSSL_PROVIDER_load() to load fips provider and then set 
> ciphersuite to TLS_CHACHA20_POLY1305_SHA256.  Expected results is that 
> there is no complain cipher.
> (https://github.com/mtrojnar/stunnel/blob/178822afdefb0798fb937f6b5f43b47c5ab77613/tests/plugins/p11_fips_cipher.py#L78) \
>  
> 
> Thanks in advance,
> - jenda
> 


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic