====== 3.2 Windows FIPS Build ======
This guide explains how to compile OpenSSL with FIPS 140-3 support.
----
===== What is FIPS 140-3? =====
**FIPS 140-3** (Federal Information Processing Standard) is a US standard for cryptographic modules. It defines:
* Which algorithms are allowed
* How keys must be generated
* Self-tests at startup
* Tamper detection
**Who needs FIPS?**
| Industry | FIPS required? |
|----------|----------------|
| US government | **Yes** |
| EU government | Often (BSI recommends) |
| Banks | **Usually yes** |
| Healthcare | **Often yes** |
| Internal apps | Rarely |
----
===== Prerequisites =====
In addition to the [[.:vorbereitung:windows-tools|standard prerequisites]]:
* ☑ NASM is **mandatory** (not optional!)
* ☑ Clean build directory
----
===== Build Steps =====
==== Step 1: Prepare Environment ====
REM Adjust path: Community, Professional, or Enterprise
call "%ProgramFiles%\Microsoft Visual Studio\2022\Community\VC\Auxiliary\Build\vcvars64.bat"
set PATH=%STRAWBERRY_PERL%\bin;%LOCALAPPDATA%\bin\NASM;%PATH%
cd /d %OPENSSL_SRC%
==== Step 2: Configure with FIPS ====
perl Configure VC-WIN64A enable-fips --prefix=D:\Projects\openssl-3.6.0\bin --openssldir=D:\Projects\openssl-3.6.0\bin\ssl
**Important:** The parameter ''enable-fips'' enables the FIPS provider.
==== Step 3: Compile ====
nmake
==== Step 4: Install (including FIPS) ====
nmake install_sw install_fips
''install_fips'' installs the FIPS provider and generates the module configuration!
----
===== Result =====
In addition to the standard files:
bin\
├── bin\
│ ├── openssl.exe
│ ├── libcrypto-3-x64.dll
│ └── libssl-3-x64.dll
├── lib\
│ └── ossl-modules\
│ ├── fips.dll # FIPS Provider Module
│ └── legacy.dll
└── ssl\
├── openssl.cnf
└── fipsmodule.cnf # FIPS Module Configuration
----
===== Activate FIPS =====
==== Modify openssl.cnf ====
Open ''D:\Projects\openssl-3.6.0\bin\ssl\openssl.cnf'' and add:
# At the beginning of the file
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
alg_section = algorithm_sect
[provider_sect]
fips = fips_sect
base = base_sect
[fips_sect]
activate = 1
[base_sect]
activate = 1
[algorithm_sect]
default_properties = fips=yes
==== Generate FIPS Module Hash ====
On first start, the FIPS module hash must be calculated:
cd D:\Projects\openssl-3.6.0\bin
bin\openssl.exe fipsinstall -out ssl\fipsmodule.cnf -module lib\ossl-modules\fips.dll
----
===== Verify FIPS Mode =====
set OPENSSL_CONF=D:\Projects\openssl-3.6.0\bin\ssl\openssl.cnf
# List providers
openssl list -providers
Expected output:
Providers:
base
name: OpenSSL Base Provider
version: 3.6.0
status: active
fips
name: OpenSSL FIPS Provider
version: 3.6.0
status: active
----
===== Test FIPS Algorithms =====
In FIPS mode, only certain algorithms are allowed:
# Allowed hash algorithms
openssl list -digest-algorithms
# Should show: SHA256, SHA384, SHA512, SHA3-*
# NOT: MD5, SHA1 (disabled in FIPS mode)
# Allowed signature algorithms
openssl list -signature-algorithms
# Should show: RSA-PSS, ECDSA, ML-DSA
----
===== Important Notes =====
**FIPS compliance is more than just the build!**
For real FIPS certification you need:
- OpenSSL FIPS-validated version (check the CMVP list)
- Correct configuration without non-FIPS algorithms
- Documented Key Ceremony
- Security Policy
**Non-FIPS algorithms in FIPS mode:**
| Algorithm | FIPS Status |
|-----------|-------------|
| MD5 | ❌ Not allowed |
| SHA1 | ⚠️ Only for compatibility |
| DES | ❌ Not allowed |
| 3DES | ⚠️ Being phased out |
| AES-GCM | ✅ Allowed |
| RSA ≥2048 | ✅ Allowed |
| ECDSA | ✅ Allowed |
| ML-DSA | ✅ Allowed |
| ML-KEM | ✅ Allowed |
----
===== Continue to =====
* [[.:testen:fips-validieren|Validate FIPS Mode]]
* [[.:testen:start|4. Testing]]
* [[.:build:start|Back to Build Overview]]
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//