Inhaltsverzeichnis
3.2 Windows FIPS Build
This guide explains how to compile OpenSSL with FIPS 140-3 support.
What is FIPS 140-3?
FIPS 140-3 (Federal Information Processing Standard) is a US standard for cryptographic modules. It defines:
- Which algorithms are allowed
- How keys must be generated
- Self-tests at startup
- Tamper detection
Who needs FIPS?
| Industry | FIPS required? |
| ———- | —————- |
| US government | Yes |
| EU government | Often (BSI recommends) |
| Banks | Usually yes |
| Healthcare | Often yes |
| Internal apps | Rarely |
Prerequisites
In addition to the standard prerequisites:
- ☑ NASM is mandatory (not optional!)
- ☑ Clean build directory
Build Steps
Step 1: Prepare Environment
REM Adjust path: Community, Professional, or Enterprise call "%ProgramFiles%\Microsoft Visual Studio\2022\Community\VC\Auxiliary\Build\vcvars64.bat" set PATH=%STRAWBERRY_PERL%\bin;%LOCALAPPDATA%\bin\NASM;%PATH% cd /d %OPENSSL_SRC%
Step 2: Configure with FIPS
perl Configure VC-WIN64A enable-fips --prefix=D:\Projects\openssl-3.6.0\bin --openssldir=D:\Projects\openssl-3.6.0\bin\ssl
Important: The parameter enable-fips enables the FIPS provider.
Step 3: Compile
nmake
Step 4: Install (including FIPS)
nmake install_sw install_fips
install_fips installs the FIPS provider and generates the module configuration!
Result
In addition to the standard files:
bin\
├── bin\
│ ├── openssl.exe
│ ├── libcrypto-3-x64.dll
│ └── libssl-3-x64.dll
├── lib\
│ └── ossl-modules\
│ ├── fips.dll # FIPS Provider Module
│ └── legacy.dll
└── ssl\
├── openssl.cnf
└── fipsmodule.cnf # FIPS Module Configuration
Activate FIPS
Modify openssl.cnf
Open D:\Projects\openssl-3.6.0\bin\ssl\openssl.cnf and add:
# At the beginning of the file openssl_conf = openssl_init [openssl_init] providers = provider_sect alg_section = algorithm_sect [provider_sect] fips = fips_sect base = base_sect [fips_sect] activate = 1 [base_sect] activate = 1 [algorithm_sect] default_properties = fips=yes
Generate FIPS Module Hash
On first start, the FIPS module hash must be calculated:
cd D:\Projects\openssl-3.6.0\bin bin\openssl.exe fipsinstall -out ssl\fipsmodule.cnf -module lib\ossl-modules\fips.dll
Verify FIPS Mode
set OPENSSL_CONF=D:\Projects\openssl-3.6.0\bin\ssl\openssl.cnf # List providers openssl list -providers
Expected output:
Providers:
base
name: OpenSSL Base Provider
version: 3.6.0
status: active
fips
name: OpenSSL FIPS Provider
version: 3.6.0
status: active
Test FIPS Algorithms
In FIPS mode, only certain algorithms are allowed:
# Allowed hash algorithms openssl list -digest-algorithms # Should show: SHA256, SHA384, SHA512, SHA3-* # NOT: MD5, SHA1 (disabled in FIPS mode)
# Allowed signature algorithms openssl list -signature-algorithms # Should show: RSA-PSS, ECDSA, ML-DSA
Important Notes
FIPS compliance is more than just the build!
For real FIPS certification you need:
- OpenSSL FIPS-validated version (check the CMVP list)
- Correct configuration without non-FIPS algorithms
- Documented Key Ceremony
- Security Policy
Non-FIPS algorithms in FIPS mode:
| Algorithm | FIPS Status |
| ———– | ————- |
| MD5 | ❌ Not allowed |
| SHA1 | ⚠️ Only for compatibility |
| DES | ❌ Not allowed |
| 3DES | ⚠️ Being phased out |
| AES-GCM | ✅ Allowed |
| RSA ≥2048 | ✅ Allowed |
| ECDSA | ✅ Allowed |
| ML-DSA | ✅ Allowed |
| ML-KEM | ✅ Allowed |
Continue to
Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional
