Date: Sat, 08 Jul 2023 20:54:10 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 271656] [exp-run] with OpenSSL 3.0 in the base system Message-ID: <bug-271656-7788-e8GFDK98wR@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-271656-7788@https.bugs.freebsd.org/bugzilla/> References: <bug-271656-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D271656 --- Comment #54 from Pierre Pronchery <khorben@defora.org> --- (In reply to Guido Falsi from comment #53) I have managed to track down the issue, and make the FIPS provider work on FreeBSD. Here is a copy of my comment on GitHub's #787 PR to this effect: (https://github.com/freebsd/freebsd-src/pull/787) > I just confirmed that the FIPS module can be configured to load correctly= , with this pull-up request applied, on my local amd64 machine: >=20 > * Enabling the FIPS provider in `openssl.cnf` disables the default module= , so make sure it has `activate =3D 1` in its section. > * The default module is required for `openssl fipsinstall`, otherwise no = HMAC provider is available to generate the corresponding configuration file= . (Defaults to `fips.cnf`) > * The output of `openssl fipsinstall` (the configuration file) needs to b= e installed in e.g., `/etc/ssl/fipsmodule.cnf` and included by `openssl.cnf= ` in order for the FIPS provider to work. (Check the provider's section nam= e to be correct and matching that of `fipsmodule.cnf`, e.g., `fips_sect`) > * The configuration file depends on the binary code of the `fips.so` prov= ider module, therefore in order for FreeBSD to ship a working FIPS provider= by default, `openssl fipsinstall` (or an equivalent) has to be executed to= generate it once all of OpenSSL is done building. --=20 You are receiving this mail because: You are on the CC list for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-271656-7788-e8GFDK98wR>