Sie befinden sich hier: start » en » Internal Documentation » OpenSSL 3.6 Build Documentation » 4. Testing » 4.3 Validate FIPS Mode

Inhaltsverzeichnis

4.3 Validate FIPS Mode

This page shows how to validate the FIPS mode of your OpenSSL installation.

Check FIPS Provider

$openssl = "D:\Projects\openssl-3.6.0\bin\bin\openssl.exe"
 
# Set environment
$env:OPENSSL_CONF = "D:\Projects\openssl-3.6.0\bin\ssl\openssl.cnf"
 
# List providers
& $openssl list -providers

With FIPS active: 

Providers:
  base
    name: OpenSSL Base Provider
    version: 3.6.0
    status: active
  fips
    name: OpenSSL FIPS Provider
    version: 3.6.0
    status: active

Without FIPS: 

Providers:
  default
    name: OpenSSL Default Provider
    version: 3.6.0
    status: active

Verify FIPS Algorithms

In FIPS mode, only certified algorithms are available.

Allowed Hash Algorithms

& $openssl list -digest-algorithms

FIPS allowed:

  • SHA-256, SHA-384, SHA-512
  • SHA3-256, SHA3-384, SHA3-512
  • SHAKE128, SHAKE256

Not FIPS allowed:

  • ~~MD5~~
  • ~~SHA1~~ (only for compatibility)
  • ~~MD4~~

Allowed Signature Algorithms

& $openssl list -signature-algorithms

FIPS allowed:

  • RSA (≥2048 bit)
  • ECDSA (P-256, P-384, P-521)
  • ML-DSA-44, ML-DSA-65, ML-DSA-87

FIPS Self-Tests

The FIPS provider performs self-tests when loading: 

# Verbose mode for self-test output
$env:OPENSSL_FIPS_TEST = "1"
& $openssl list -providers

If self-tests fail, the FIPS provider will not be activated!

Check FIPS Module Integrity

The FIPS modules have an embedded hash for integrity checking: 

# Generate/verify FIPS module hash
& $openssl fipsinstall -verify -module "D:\Projects\openssl-3.6.0\bin\lib\ossl-modules\fips.dll" -in "D:\Projects\openssl-3.6.0\bin\ssl\fipsmodule.cnf"

Expected output: 

VERIFY PASSED

On error: 

VERIFY FAILED

If VERIFY FAILED: The DLL may have been modified. Rebuild!

Test: Non-FIPS Algorithm Blocked

In FIPS mode, MD5 should be blocked: 

# MD5 should fail
& $openssl dgst -md5 test.txt 2>&1

Expected output (with FIPS): 

Error setting digest
xxxx:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported

If MD5 works, FIPS is not active!

Check FIPS Properties in Code

In C or .NET you can check FIPS programmatically: 

// C# P/Invoke example
[DllImport("libcrypto-3-x64.dll")]
private static extern int OSSL_PROVIDER_available(IntPtr libctx, string name);
 
public static bool IsFipsAvailable()
{
    return OSSL_PROVIDER_available(IntPtr.Zero, "fips") == 1;
}

FIPS Compliance Checklist

# Check Point Status
————-——–
1 enable-fips used during build
2 fips.dll present in ossl-modules/
3 fipsmodule.cnf generated
4 openssl.cnf FIPS provider activated
5 openssl list -providers shows FIPS active
6 fipsinstall -verify PASSED
7 MD5 blocked (test)

Troubleshooting

"FIPS provider not available"

  1. Was it built with enable-fips?
  2. Is fips.dll present?
  3. Is openssl.cnf correctly configured?

"Self test failed"

  1. Reinstall modules: nmake install_fips
  2. Regenerate hash: openssl fipsinstall …

MD5 works (should be blocked)

  1. default_properties = fips=yes missing in openssl.cnf
  2. OPENSSL_CONF environment not set

Continue to

Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional

Zuletzt geändert: on 2026/01/29 at 09:21 PM

Seiten-Werkzeuge