====== 4.3 Validate FIPS Mode ======
This page shows how to validate the FIPS mode of your OpenSSL installation.
----
===== Check FIPS Provider =====
$openssl = "D:\Projects\openssl-3.6.0\bin\bin\openssl.exe"
# Set environment
$env:OPENSSL_CONF = "D:\Projects\openssl-3.6.0\bin\ssl\openssl.cnf"
# List providers
& $openssl list -providers
**With FIPS active:**
Providers:
base
name: OpenSSL Base Provider
version: 3.6.0
status: active
fips
name: OpenSSL FIPS Provider
version: 3.6.0
status: active
**Without FIPS:**
Providers:
default
name: OpenSSL Default Provider
version: 3.6.0
status: active
----
===== Verify FIPS Algorithms =====
In FIPS mode, only certified algorithms are available.
==== Allowed Hash Algorithms ====
& $openssl list -digest-algorithms
**FIPS allowed:**
* SHA-256, SHA-384, SHA-512
* SHA3-256, SHA3-384, SHA3-512
* SHAKE128, SHAKE256
**Not FIPS allowed:**
* ~~MD5~~
* ~~SHA1~~ (only for compatibility)
* ~~MD4~~
==== Allowed Signature Algorithms ====
& $openssl list -signature-algorithms
**FIPS allowed:**
* RSA (≥2048 bit)
* ECDSA (P-256, P-384, P-521)
* ML-DSA-44, ML-DSA-65, ML-DSA-87
----
===== FIPS Self-Tests =====
The FIPS provider performs self-tests when loading:
# Verbose mode for self-test output
$env:OPENSSL_FIPS_TEST = "1"
& $openssl list -providers
If self-tests fail, the FIPS provider will not be activated!
----
===== Check FIPS Module Integrity =====
The FIPS modules have an embedded hash for integrity checking:
# Generate/verify FIPS module hash
& $openssl fipsinstall -verify -module "D:\Projects\openssl-3.6.0\bin\lib\ossl-modules\fips.dll" -in "D:\Projects\openssl-3.6.0\bin\ssl\fipsmodule.cnf"
Expected output:
VERIFY PASSED
On error:
VERIFY FAILED
If VERIFY FAILED: The DLL may have been modified. Rebuild!
----
===== Test: Non-FIPS Algorithm Blocked =====
In FIPS mode, MD5 should be blocked:
# MD5 should fail
& $openssl dgst -md5 test.txt 2>&1
Expected output (with FIPS):
Error setting digest
xxxx:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported
If MD5 works, FIPS is not active!
----
===== Check FIPS Properties in Code =====
In C or .NET you can check FIPS programmatically:
// C# P/Invoke example
[DllImport("libcrypto-3-x64.dll")]
private static extern int OSSL_PROVIDER_available(IntPtr libctx, string name);
public static bool IsFipsAvailable()
{
return OSSL_PROVIDER_available(IntPtr.Zero, "fips") == 1;
}
----
===== FIPS Compliance Checklist =====
| # | Check Point | Status |
|---|-------------|--------|
| 1 | ''enable-fips'' used during build | ☐ |
| 2 | ''fips.dll'' present in ''ossl-modules/'' | ☐ |
| 3 | ''fipsmodule.cnf'' generated | ☐ |
| 4 | ''openssl.cnf'' FIPS provider activated | ☐ |
| 5 | ''openssl list -providers'' shows FIPS active | ☐ |
| 6 | ''fipsinstall -verify'' PASSED | ☐ |
| 7 | MD5 blocked (test) | ☐ |
----
===== Troubleshooting =====
==== "FIPS provider not available" ====
- Was it built with ''enable-fips''?
- Is ''fips.dll'' present?
- Is ''openssl.cnf'' correctly configured?
==== "Self test failed" ====
- Reinstall modules: ''nmake install_fips''
- Regenerate hash: ''openssl fipsinstall ...''
==== MD5 works (should be blocked) ====
- ''default_properties = fips=yes'' missing in openssl.cnf
- ''OPENSSL_CONF'' environment not set
----
===== Continue to =====
* [[.:build:windows-fips|FIPS Build]]
* [[.:integration:start|5. Integration]]
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//