4.3 Validate FIPS Mode

This page shows how to validate the FIPS mode of your OpenSSL installation.

Check FIPS Provider

$openssl = "D:\Projects\openssl-3.6.0\bin\bin\openssl.exe"
 
# Set environment
$env:OPENSSL_CONF = "D:\Projects\openssl-3.6.0\bin\ssl\openssl.cnf"
 
# List providers
& $openssl list -providers

With FIPS active:

Providers:
  base
    name: OpenSSL Base Provider
    version: 3.6.0
    status: active
  fips
    name: OpenSSL FIPS Provider
    version: 3.6.0
    status: active

Without FIPS:

Providers:
  default
    name: OpenSSL Default Provider
    version: 3.6.0
    status: active

Verify FIPS Algorithms

In FIPS mode, only certified algorithms are available.

Allowed Hash Algorithms

& $openssl list -digest-algorithms

FIPS allowed:

SHA-256, SHA-384, SHA-512
SHA3-256, SHA3-384, SHA3-512
SHAKE128, SHAKE256

Not FIPS allowed:

~~MD5~~
~~SHA1~~ (only for compatibility)
~~MD4~~

Allowed Signature Algorithms

& $openssl list -signature-algorithms

FIPS allowed:

RSA (≥2048 bit)
ECDSA (P-256, P-384, P-521)
ML-DSA-44, ML-DSA-65, ML-DSA-87

FIPS Self-Tests

The FIPS provider performs self-tests when loading:

# Verbose mode for self-test output
$env:OPENSSL_FIPS_TEST = "1"
& $openssl list -providers

If self-tests fail, the FIPS provider will not be activated!

Check FIPS Module Integrity

The FIPS modules have an embedded hash for integrity checking:

# Generate/verify FIPS module hash
& $openssl fipsinstall -verify -module "D:\Projects\openssl-3.6.0\bin\lib\ossl-modules\fips.dll" -in "D:\Projects\openssl-3.6.0\bin\ssl\fipsmodule.cnf"

Expected output:

VERIFY PASSED

On error:

VERIFY FAILED

If VERIFY FAILED: The DLL may have been modified. Rebuild!

Test: Non-FIPS Algorithm Blocked

In FIPS mode, MD5 should be blocked:

# MD5 should fail
& $openssl dgst -md5 test.txt 2>&1

Expected output (with FIPS):

Error setting digest
xxxx:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported

If MD5 works, FIPS is not active!

Check FIPS Properties in Code

In C or .NET you can check FIPS programmatically:

// C# P/Invoke example
[DllImport("libcrypto-3-x64.dll")]
private static extern int OSSL_PROVIDER_available(IntPtr libctx, string name);
 
public static bool IsFipsAvailable()
{
    return OSSL_PROVIDER_available(IntPtr.Zero, "fips") == 1;
}

FIPS Compliance Checklist

#	Check Point	Status
—	————-	——–
1	`enable-fips` used during build	☐
2	`fips.dll` present in `ossl-modules/`	☐
3	`fipsmodule.cnf` generated	☐
4	`openssl.cnf` FIPS provider activated	☐
5	`openssl list -providers` shows FIPS active	☐
6	`fipsinstall -verify` PASSED	☐
7	MD5 blocked (test)	☐

Troubleshooting

"FIPS provider not available"

Was it built with enable-fips?
Is fips.dll present?
Is openssl.cnf correctly configured?

"Self test failed"

Reinstall modules: nmake install_fips
Regenerate hash: openssl fipsinstall …

MD5 works (should be blocked)

default_properties = fips=yes missing in openssl.cnf
OPENSSL_CONF environment not set

Continue to

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional