openssl non-fips crypto suites

General support questions
Post Reply
ofero
Posts: 3
Joined: 2018/02/21 11:48:56

openssl non-fips crypto suites

Post by ofero » 2018/02/21 11:54:34

When I execute "openssl version" I get the following version of openssl

OpenSSL 1.0.2k-fips 26 Jan 2017

But I need to use elliptic curves which are not FIPS.

If I download and compile openssl from the source, these curves are available. But not in the openssl version with the -fips name extension.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: openssl non-fips crypto suites

Post by TrevorH » 2018/02/21 12:00:28

The version of openssl in CentOS is inherited directly from the version included in RHEL 7 and Redhat remove some of the ciphers etc from the source due to patent/licensing concerns. To get those enabled in the distro you'd need to ask Redhat to enable them in RHEL via bugzilla.redhat.com.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

ofero
Posts: 3
Joined: 2018/02/21 11:48:56

Re: openssl non-fips crypto suites

Post by ofero » 2018/02/21 12:04:30

So there is not a configuration file which enables the additional ciphers? Because my OS is not running in FIPS mode.

And if I need to download and recompile openssl. Can anyone provide guidelines which ensure that the new openssl version is used by the apache httpd mod_ssl module ?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: openssl non-fips crypto suites

Post by TrevorH » 2018/02/21 16:05:05

FIPS mode has nothing to do with it. It's patent and licensing concerns that dictate which ciphers Redhat choose to include.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

Post Reply