[Bug 271656] [exp-run] with OpenSSL 3.0 in the base system
- In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 271656] [exp-run] with OpenSSL 3.0 in the base system"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 08 Jul 2023 20:54:10 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=271656 --- Comment #54 from Pierre Pronchery <khorben@defora.org> --- (In reply to Guido Falsi from comment #53) I have managed to track down the issue, and make the FIPS provider work on FreeBSD. Here is a copy of my comment on GitHub's #787 PR to this effect: (https://github.com/freebsd/freebsd-src/pull/787) > I just confirmed that the FIPS module can be configured to load correctly, with this pull-up request applied, on my local amd64 machine: > > * Enabling the FIPS provider in `openssl.cnf` disables the default module, so make sure it has `activate = 1` in its section. > * The default module is required for `openssl fipsinstall`, otherwise no HMAC provider is available to generate the corresponding configuration file. (Defaults to `fips.cnf`) > * The output of `openssl fipsinstall` (the configuration file) needs to be installed in e.g., `/etc/ssl/fipsmodule.cnf` and included by `openssl.cnf` in order for the FIPS provider to work. (Check the provider's section name to be correct and matching that of `fipsmodule.cnf`, e.g., `fips_sect`) > * The configuration file depends on the binary code of the `fips.so` provider module, therefore in order for FreeBSD to ship a working FIPS provider by default, `openssl fipsinstall` (or an equivalent) has to be executed to generate it once all of OpenSSL is done building. -- You are receiving this mail because: You are on the CC list for the bug.