3.2 Windows FIPS Build

This guide explains how to compile OpenSSL with FIPS 140-3 support.

What is FIPS 140-3?

FIPS 140-3 (Federal Information Processing Standard) is a US standard for cryptographic modules. It defines:

Which algorithms are allowed
How keys must be generated
Self-tests at startup
Tamper detection

Who needs FIPS?

Industry	FIPS required?
———-	—————-
US government	Yes
EU government	Often (BSI recommends)
Banks	Usually yes
Healthcare	Often yes
Internal apps	Rarely

Prerequisites

In addition to the standard prerequisites:

☑ NASM is mandatory (not optional!)
☑ Clean build directory

Build Steps

Step 1: Prepare Environment

REM Adjust path: Community, Professional, or Enterprise
call "%ProgramFiles%\Microsoft Visual Studio\2022\Community\VC\Auxiliary\Build\vcvars64.bat"
set PATH=%STRAWBERRY_PERL%\bin;%LOCALAPPDATA%\bin\NASM;%PATH%
cd /d %OPENSSL_SRC%

Step 2: Configure with FIPS

perl Configure VC-WIN64A enable-fips --prefix=D:\Projects\openssl-3.6.0\bin --openssldir=D:\Projects\openssl-3.6.0\bin\ssl

Important: The parameter enable-fips enables the FIPS provider.

Step 3: Compile

nmake

Step 4: Install (including FIPS)

nmake install_sw install_fips

install_fips installs the FIPS provider and generates the module configuration!

Result

In addition to the standard files:

bin\
├── bin\
│   ├── openssl.exe
│   ├── libcrypto-3-x64.dll
│   └── libssl-3-x64.dll
├── lib\
│   └── ossl-modules\
│       ├── fips.dll          # FIPS Provider Module
│       └── legacy.dll
└── ssl\
    ├── openssl.cnf
    └── fipsmodule.cnf        # FIPS Module Configuration

Activate FIPS

Modify openssl.cnf

Open D:\Projects\openssl-3.6.0\bin\ssl\openssl.cnf and add:

# At the beginning of the file
openssl_conf = openssl_init
 
[openssl_init]
providers = provider_sect
alg_section = algorithm_sect
 
[provider_sect]
fips = fips_sect
base = base_sect
 
[fips_sect]
activate = 1
 
[base_sect]
activate = 1
 
[algorithm_sect]
default_properties = fips=yes

Generate FIPS Module Hash

On first start, the FIPS module hash must be calculated:

cd D:\Projects\openssl-3.6.0\bin
 
bin\openssl.exe fipsinstall -out ssl\fipsmodule.cnf -module lib\ossl-modules\fips.dll

Verify FIPS Mode

set OPENSSL_CONF=D:\Projects\openssl-3.6.0\bin\ssl\openssl.cnf
 
# List providers
openssl list -providers

Expected output:

Providers:
  base
    name: OpenSSL Base Provider
    version: 3.6.0
    status: active
  fips
    name: OpenSSL FIPS Provider
    version: 3.6.0
    status: active

Test FIPS Algorithms

In FIPS mode, only certain algorithms are allowed:

# Allowed hash algorithms
openssl list -digest-algorithms
 
# Should show: SHA256, SHA384, SHA512, SHA3-*
# NOT: MD5, SHA1 (disabled in FIPS mode)

# Allowed signature algorithms
openssl list -signature-algorithms
 
# Should show: RSA-PSS, ECDSA, ML-DSA

Important Notes

FIPS compliance is more than just the build!

For real FIPS certification you need:

OpenSSL FIPS-validated version (check the CMVP list)
Correct configuration without non-FIPS algorithms
Documented Key Ceremony
Security Policy

Non-FIPS algorithms in FIPS mode:

Algorithm	FIPS Status
———–	————-
MD5	❌ Not allowed
SHA1	⚠️ Only for compatibility
DES	❌ Not allowed
3DES	⚠️ Being phased out
AES-GCM	✅ Allowed
RSA ≥2048	✅ Allowed
ECDSA	✅ Allowed
ML-DSA	✅ Allowed
ML-KEM	✅ Allowed

Continue to

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional