curl / Mailing Lists / curl-library / Single Mail
Buy commercial curl support from WolfSSL. We help you work out your issues, debug your libcurl applications, use the API, port to new platforms, add new features and more. With a team lead by the curl founder himself.

Re: libcurl in fips mode

From: Alibek Jorajev via curl-library <curl-library_at_cool.haxx.se>
Date: Wed, 31 Jul 2019 15:36:50 +0000 (UTC)

 
some extra tips.
you need essentially need 3 things for FIPS:
1. build FIPS capable OpenSSL2. do correct linking (you need to run special script, which will inject FIPS fingerprint - all described in the FIPS user guide)3. call FIPS_mode_set() in your applicаtion (not in Curl! )
if you miss step (2), your step (3) will fail.

    On Wednesday, 31 July 2019, 04:26:03 GMT-4, Max Dymond via curl-library <curl-library_at_cool.haxx.se> wrote:
 
> > Can you please help me with the following question?
> >
> > How do I use libcurl in FIPS mode?

> libcurl has no special provisions for FIPS. If any source code changes or function invokes are necessary, you need to make them.

> OpenSSL FIPS support seems to only exist in the outdated 1.0.2 version and according to https://www.openssl.org/docs/fips/UserGuide-2.0.pdf just linking with a FIPS OpenSSL 1.0.2 is not enough. It then also needs FIPS_mode_set() to be called. (That's a 225 page document and I only skimmed it very casually so I'm far from being knowledgable in this area.)

If you set the kernel command line parameter to "fips=1" on Centos (possibly other OSes) then FIPS_mode_set() gets enabled in OpenSSL automatically at start of day; see docs:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sect-security_guide-federal_standards_and_regulations-federal_information_processing_standard
https://docs.oracle.com/cd/E37670_01/E36387/html/section_bj5_szv_wp.html

If this isn't a viable solution, then you can also link to OpenSSL and call FIPS_mode_set() within your application before using curl.

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette:  https://curl.haxx.se/mail/etiquette.html

-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2019-07-31