-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Non FIPS Approved Ciphers/Algorithms Should not be allowed when FIPS is enabled #62
Comments
@wumiaont , after enabled the config, 65 UTs failed. Test Summary Report02-test_internal_context.t (Wstat: 256 (exited 1) Tests: 1 Failed: 1) |
I tried openssl 3.0 and run self-test. When the above config is made to make fips mode enabled for openssl, lots of self test failed. This makes sense as many self-tests are not fips compliant so disable those non fips compliant algorithms/ciphers will make tests using those algorithms to fail. |
FIPS requires non FIPS approved Ciphers/Algorithms should not be allowed when FIPS is enabled on Sonic platform. It's found that Algorithms such as Chacha20 etc are still supported by Openssl under FIPS mode.
Solution could be taking back openssl-fips.conf back. Adding the following into openssl-fips.conf.
[openssl_init]
providers = provider_sect
alg_section = evp_properties
[evp_properties]
default_properties = "fips=yes"
Another approach could be adding EVP_default_properties_enable_fips(NULL, 1) to the 30-load-symcrypt-engine-provider.patch
which will do the same work with the above configuration to enable FIPS for he default properties.
The text was updated successfully, but these errors were encountered: