curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: libcurl in fips mode

From: Daniel Stenberg via curl-library <>
Date: Wed, 31 Jul 2019 10:00:49 +0200 (CEST)

On Tue, 30 Jul 2019, Dipak B via curl-library wrote:

> Can you please help me with the following question?
> How do I use libcurl in FIPS mode?

libcurl has no special provisions for FIPS. If any source code changes or
function invokes are necessary, you need to make them.

OpenSSL FIPS support seems to only exist in the outdated 1.0.2 version and
according to just linking
with a FIPS OpenSSL 1.0.2 is not enough. It then also needs FIPS_mode_set() to
be called. (That's a 225 page document and I only skimmed it very casually so
I'm far from being knowledgable in this area.)

It would probably be suitable to have curl's configure be able to detect that
function and be able to use it. But I'm hesitant to add support for that now
since OpenSSL 1.0.2 is old and reading on the openssl site it seems they
intend to do FIPS differently going forward.

A possibly more reliable way forward right now would be to instead switch to
wolfSSL that offers a FIPS version of their current version that is supported.

> a. Could not find curlopt_xxx for FIPS mode. Apology if this is not needed.

Normally I would guess that you want FIPS if the FIPS-enabled library was used
in the build so such an option wouldn't be used, but I've not received much
feedback on this topic from FIPS-using curl users so I'm mostly guessing.

> b. Checking if VTLS interface can be leveraged to pass socket for which FIPS
> is configured.

I don't think that sounds like a viable way forward.

  / | Get the best commercial curl support there is - from me
                   | Private help, bug fixes, support, ports, new features
Received on 2019-07-31