curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: libcurl in fips mode

From: Dipak B via curl-library <curl-library_at_cool.haxx.se>
Date: Thu, 8 Aug 2019 03:59:28 +0530

Hi,

1) After following the steps below, I am able to see positive results with
wireshark but yet to conclude on this. Aim is to run libcurl in FIPS
compliant mode.

2) Request everyone to share inputs and continue the support as before.

a) Built static libcurl using FIPS capable OpenSSL.

b) In my application, called SSL_Library_Init() followed by FIPS_mode_set()
and other APIs to confirm that FIPS mode is on.

c) Added curl API to do http post using the easy interface.

d) Built my application by linking to static libcurl.lib in point (a) and
FIPS capable OpenSSL .libs.

3) Wireshark shows clienthello and serverhello to be good.

4) Apology for top posting, Gmail does not allow me easily to avoid top
post.

Questions -

Q1) Conceptual can libcurl work using the CipherSuites selected by FIPS
capable OpenSSL in the above example?

Thus, can we say that libcurl will always be using CipherSuites selected by
the FIPS capable OpenSSL and thus is FIPS compliant.?

Q2) Or are changes to libcurl source code an absolute must to run it in
FIPS compliant mode.

Regards.

On Wed 31 Jul, 2019, 1:30 PM Daniel Stenberg, <daniel_at_haxx.se> wrote:

> On Tue, 30 Jul 2019, Dipak B via curl-library wrote:
>
> > Can you please help me with the following question?
> >
> > How do I use libcurl in FIPS mode?
>
> libcurl has no special provisions for FIPS. If any source code changes or
> function invokes are necessary, you need to make them.
>
> OpenSSL FIPS support seems to only exist in the outdated 1.0.2 version and
> according to https://www.openssl.org/docs/fips/UserGuide-2.0.pdf just
> linking
> with a FIPS OpenSSL 1.0.2 is not enough. It then also needs
> FIPS_mode_set() to
> be called. (That's a 225 page document and I only skimmed it very casually
> so
> I'm far from being knowledgable in this area.)
>
> It would probably be suitable to have curl's configure be able to detect
> that
> function and be able to use it. But I'm hesitant to add support for that
> now
> since OpenSSL 1.0.2 is old and reading on the openssl site it seems they
> intend to do FIPS differently going forward.
>
> A possibly more reliable way forward right now would be to instead switch
> to
> wolfSSL that offers a FIPS version of their current version that is
> supported.
>
> > a. Could not find curlopt_xxx for FIPS mode. Apology if this is not
> needed.
>
> Normally I would guess that you want FIPS if the FIPS-enabled library was
> used
> in the build so such an option wouldn't be used, but I've not received
> much
> feedback on this topic from FIPS-using curl users so I'm mostly guessing.
>
> > b. Checking if VTLS interface can be leveraged to pass socket for which
> FIPS
> > is configured.
>
> I don't think that sounds like a viable way forward.
>
> --
>
> / daniel.haxx.se | Get the best commercial curl support there is - from
> me
> | Private help, bug fixes, support, ports, new features
> | https://www.wolfssl.com/contact/
>

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-08-08