1OpenSSL FIPS support 2==================== 3 4This release of OpenSSL includes a cryptographic module that is intended to be 5FIPS 140-2 validated. The module is implemented as an OpenSSL provider. 6A provider is essentially a dynamically loadable module which implements 7cryptographic algorithms, see the [README-PROVIDERS](README-PROVIDERS.md) file 8for further details. 9 10The OpenSSL FIPS provider comes as shared library called `fips.so` (on Unix) 11resp. `fips.dll` (on Windows). The FIPS provider does not get built and 12installed automatically. To enable it, you need to configure OpenSSL using 13the `enable-fips` option. 14 15Installing the FIPS module 16========================== 17 18If the FIPS provider is enabled, it gets installed automatically during the 19normal installation process. Simply follow the normal procedure (configure, 20make, make test, make install) as described in the [INSTALL](INSTALL.md) file. 21 22For example, on Unix the final command 23 24 $ make install 25 26effectively executes the following install targets 27 28 $ make install_sw 29 $ make install_ssldirs 30 $ make install_docs 31 $ make install_fips # for `enable-fips` only 32 33The `install_fips` make target can also be invoked explicitly to install 34the FIPS provider independently, without installing the rest of OpenSSL. 35 36The Installation of the FIPS provider consists of two steps. In the first step, 37the shared library is copied to its installed location, which by default is 38 39 /usr/local/lib/ossl-modules/fips.so on Unix, and 40 C:\Program Files\OpenSSL\lib\ossl-modules\fips.dll on Windows. 41 42In the second step, the `openssl fipsinstall` command is executed, which completes 43the installation by doing the following two things: 44 45- Runs the FIPS module self tests 46- Generates the so-called FIPS module configuration file containing information 47 about the module such as the self test status, and the module checksum. 48 49The FIPS module must have the self tests run, and the FIPS module config file 50output generated on every machine that it is to be used on. You must not copy 51the FIPS module config file output data from one machine to another. 52 53On Unix the `openssl fipsinstall` command will be invoked as follows by default: 54 55 $ openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module /usr/local/lib/ossl-modules/fips.so 56 57If you configured OpenSSL to be installed to a different location, the paths will 58vary accordingly. In the rare case that you need to install the fipsmodule.cnf 59to non-standard location, you can execute the `openssl fipsinstall` command manually. 60 61Using the FIPS Module in applications 62===================================== 63 64Documentation about using the FIPS module is available on the [fips_module(7)] 65manual page. 66 67 [fips_module(7)]: https://www.openssl.org/docs/manmaster/man7/fips_module.html 68
