Re: libcurl in fips mode

 
some extra tips.
you need essentially need 3 things for FIPS:
1. build FIPS capable OpenSSL2. do correct linking (you need to run special script, which will inject FIPS fingerprint - all described in the FIPS user guide)3. call FIPS_mode_set() in your applicаtion (not in Curl! )
if you miss step (2), your step (3) will fail.

    On Wednesday, 31 July 2019, 04:26:03 GMT-4, Max Dymond via curl-library <curl-library_at_cool.haxx.se> wrote:
 
> > Can you please help me with the following question?
> >
> > How do I use libcurl in FIPS mode?

> libcurl has no special provisions for FIPS. If any source code changes or function invokes are necessary, you need to make them.

> OpenSSL FIPS support seems to only exist in the outdated 1.0.2 version and according to https://www.openssl.org/docs/fips/UserGuide-2.0.pdf just linking with a FIPS OpenSSL 1.0.2 is not enough. It then also needs FIPS_mode_set() to be called. (That's a 225 page document and I only skimmed it very casually so I'm far from being knowledgable in this area.)

If you set the kernel command line parameter to "fips=1" on Centos (possibly other OSes) then FIPS_mode_set() gets enabled in OpenSSL automatically at start of day; see docs:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard
https://docs.oracle.com/cd/E37670_01/E36387/html/section_bj5_szv_wp.html

If this isn't a viable solution, then you can also link to OpenSSL and call FIPS_mode_set() within your application before using curl.

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-07-31