完成OpenSSL 3.0.2FIPS模块的安装
现在还为时尚早,但我已经开始从OpenSSL 1.0.2迁移到3.0.2。(窗户)
在构建OpenSSL 3.0.2之后,要运行完成安装,您需要运行“fipsinstall”命令行应用程序。
我按照建议使用这个命令来做这件事:
C:\WORK\c89f702a343c78ef949c71865ebdfc637541b638\bin\openssl.exe fipsinstall -out C:\WORK\c89f702a343c78ef949c71865ebdfc637541b638\fipsmodule.cnf
-module C:\WORK\c89f702a343c78ef949c71865ebdfc637541b638\lib\ossl-modules\fips.dllModule_Integrity:(KAT_Cipher):Pass SHA1:(KAT_Cipher):Pass RSA:(KAT_Signature):RNG:(Continuous_RNG_Test):Pass:(PCT_Signature):Pass:(PCT_Signature):Pass:(PCT_Signature):Pass:(PCT_Signature):Pass TLS13_KDF_EXTRACT:(KAT_KDF):Pass TLS13_KDF_EXPAND:(KAT_KDF):Pass TLS12_PRF:(KAT_KDF):Pass PBKDF2:(KAT_KDF):Pass SSHKDF:(KAT_KDF):(KAT_KDF):Pass HKDF:(KAT_KDF):Pass SSKDF:(KAT_KDF):Pass X963KDF:(KAT_KDF):PASSED:(KAT_KA):PASSED:(KAT_KA):Pass RSA_Encrypt:(KAT_AsymmetricCipher):Pass RSA_Decrypt:(KAT_AsymmetricCipher):Pass RSA_Decrypt:(KAT_AsymmetricCipher):Pass
它创建了这个配置文件fipsmodule.cnf。
[fips_sect]
activate = 1
install-version = 1
conditional-errors = 1
security-checks = 1
module-mac = 3A:EC:2E:53:3F:92:44:F9:50:13:70:6E:FD:38:37:08:8B:F2:68:56:CC:B4:ED:5F:A1:52:1B:93:15:37:0B:8C
install-mac = 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
install-status = INSTALL_SELF_TEST_KATS_RUN但是,关于OpenSSL 3.0的警告说明如下:
您不能将FIPS模块配置文件输出数据从一台计算机复制到另一台.。
下面是包含正确生成配置文件所需文件的文件夹布局。
C:\WORK\c89f702a343c78ef949c71865ebdfc637541b638>tree /f /a
Folder PATH listing
Volume serial number is 448B-63A8
C:.
| conaninfo.txt
| conanmanifest.txt
| fipsmodule.cnf
|
+---bin
| c_rehash.pl
| openssl.exe
|
+---include
| \---openssl
| aes.h
| asn1.h
| asn1err.h
| asn1t.h
| asn1_mac.h
| async.h
| asyncerr.h
| bio.h
| bioerr.h
| blowfish.h
| bn.h
| bnerr.h
| buffer.h
| buffererr.h
| camellia.h
| cast.h
| cmac.h
| cmp.h
| cmperr.h
| cmp_util.h
| cms.h
| cmserr.h
| comp.h
| comperr.h
| conf.h
| conferr.h
| configuration.h
| conftypes.h
| conf_api.h
| core.h
| core_dispatch.h
| core_names.h
| core_object.h
| crmf.h
| crmferr.h
| crypto.h
| cryptoerr.h
| cryptoerr_legacy.h
| ct.h
| cterr.h
| decoder.h
| decodererr.h
| des.h
| dh.h
| dherr.h
| dsa.h
| dsaerr.h
| dtls1.h
| ebcdic.h
| ec.h
| ecdh.h
| ecdsa.h
| ecerr.h
| encoder.h
| encodererr.h
| engine.h
| engineerr.h
| err.h
| ess.h
| esserr.h
| evp.h
| evperr.h
| e_os2.h
| fipskey.h
| fips_names.h
| hmac.h
| http.h
| httperr.h
| idea.h
| kdf.h
| kdferr.h
| lhash.h
| macros.h
| md2.h
| md4.h
| md5.h
| mdc2.h
| modes.h
| objects.h
| objectserr.h
| obj_mac.h
| ocsp.h
| ocsperr.h
| opensslconf.h
| opensslv.h
| ossl_typ.h
| params.h
| param_build.h
| pem.h
| pem2.h
| pemerr.h
| pkcs12.h
| pkcs12err.h
| pkcs7.h
| pkcs7err.h
| proverr.h
| provider.h
| prov_ssl.h
| rand.h
| randerr.h
| rc2.h
| rc4.h
| rc5.h
| ripemd.h
| rsa.h
| rsaerr.h
| safestack.h
| seed.h
| self_test.h
| sha.h
| srp.h
| srtp.h
| ssl.h
| ssl2.h
| ssl3.h
| sslerr.h
| sslerr_legacy.h
| stack.h
| store.h
| storeerr.h
| symhacks.h
| tls1.h
| trace.h
| ts.h
| tserr.h
| txt_db.h
| types.h
| ui.h
| uierr.h
| whrlpool.h
| x509.h
| x509err.h
| x509v3.h
| x509v3err.h
| x509_vfy.h
| __DECC_INCLUDE_EPILOGUE.H
| __DECC_INCLUDE_PROLOGUE.H
|
+---lib
| | libcrypto.lib
| | libssl.lib
| |
| +---cmake
| | conan-official-openssl-variables.cmake
| |
| +---engines-3
| \---ossl-modules
| fips.dll
| legacy.dll
|
\---licenses
| LICENSE.txt
|
\---external
\---perl
\---Text-Template-1.56
LICENSE问题
随着OpenSSL 3.0.2部署到许多机器上,现在是否也需要分发上述文件并运行fips安装来创建服务器特定的配置文件?拥有所有这些额外的行李,而不仅仅是在计算机上复制配置文件,这似乎很奇怪。为什么不使用相同的配置(可能是MAC地址依赖的)?为什么需要这个配置呢?
Stack Overflow用户
发布于 2022-04-15 16:28:45
请注意,配置文件中有两个校验和。其中一个是FIPS模块校验和,另一个是配置的校验和。如果没有配置校验和,则可以跨计算机复制文件--这意味着在加载FIPS模块(即fips提供程序)时,将始终运行自测试。 但是,如果配置校验和在其中存在,则无法复制该文件,因为这意味着自测试不会在将配置文件复制到的机器上运行。这将违背FIPS实现指南,该指南要求在安装后至少运行一次自我测试。
看起来,如果没有install-status安装-mac和,就可以在计算机上复制openssl.cnf。
config_diagnostics = 1
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
[provider_sect]
fips = fips_sect
base = base_sect
[base_sect]
activate = 1
[fips_sect]
activate = 1
install-version = 1
conditional-errors = 1
security-checks = 1
module-mac = 3A:EC:2E:53:3F:92:44:F9:50:13:70:6E:FD:38:37:08:8B:F2:68:56:CC:B4:ED:5F:A1:52:1B:93:15:37:0B:8Cfipsmodule.cnf具有以下格式:
[fips_sect]
activate = 1
install-version = 1
conditional-errors = 1
security-checks = 1
module-mac = 3A:EC:2E:53:3F:92:44:F9:50:13:70:6E:FD:38:37:08:8B:F2:68:56:CC:B4:ED:5F:A1:52:1B:93:15:37:0B:8C
install-mac = 41:9C:38:C2:8F:59:09:43:2C:AA:2F:58:36:2D:D9:04:F9:6C:56:8B:09:E0:18:3A:2E:D6:CC:69:05:04:E1:11
install-status = INSTALL_SELF_TEST_KATS_RUNhttps://stackoverflow.com/questions/71861980
复制相似问题
腾讯云开发者
