@@ -38,39 +38,69 @@ Erlang code (like SRP) are disabled.
3838
3939## Enabling FIPS mode
4040
41- 1 . Build or install the FIPS Object Module and a FIPS enabled OpenSSL library.
42-
43- You should read and precisely follow the instructions of the
44- [ Security Policy] ( http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf )
45- and [ User Guide] ( https://www.openssl.org/docs/fips/UserGuide-2.0.pdf ) .
46-
4741> #### Warning {: .warning }
4842>
4943> It is very easy to build a working OpenSSL FIPS Object Module and library from
50- > the source. However it _ does not_ qualify as FIPS 140-2 validated if the
51- > numerous restrictions in the Security Policy are not properly followed.
44+ > the source, all OpenSSL versions support FIPS. However any version _ does not_
45+ > qualify as FIPS 140-2 or FIPS 140-3 validated if the numerous restrictions in
46+ > the Security Policy are not properly followed, the version also must be listed
47+ > on the NIST website as validated.
48+
49+ ### Build FIPS-enabled OpenSSL
50+
51+ For a proper FIPS-compliant build you should read and precisely follow the instructions
52+ of the [ Security Policy 140-2] ( https://csrc.nist.gov/pubs/fips/140-2/upd2/final )
53+ superceded by [ Security Policy 140-3] ( https://csrc.nist.gov/pubs/fips/140-3/final )
54+ and [ User Guide] ( https://docs.openssl.org/ ) ,
55+ but to get quick results which allow you to continue development, read on...
56+
57+ Build is performed in 2 steps (for Windows follow the steps in ` NOTES-WINDOWS.md ` ):
58+ 1 . Define, where you will put the compiled OpenSSL files, this will be your ` SSLDIR ` .
59+ ``` bash
60+ export SSLDIR=...
61+ ```
62+ 2 . Configure the library. Run once (requires Perl):
63+ ``` bash
64+ export OPENSSL_CONF=${SSLDIR} /openssl.cnf
65+ ./Configure shared enable-fips --prefix=${SSLDIR} --openssldir=${SSLDIR}
66+ ```
67+ 3 . Build the library
68+ ``` bash
69+ make -j && make install install_fips
70+ ```
71+
72+ ### Configuring OpenSSL for FIPS
73+
74+ Now that the ` make install ` has finished and the ` ${SSLDIR} ` contains your ready
75+ to use copy of OpenSSL, it is time to configure it for FIPS mode.
76+
77+ 1 . Edit the ` openssl.cnf `
78+ 1 . Find ` .include fipsmodule.cnf ` and edit it to include the full path to the ` .cnf ` file.
79+ 2 . Find ` fips = fips_sect ` and uncomment
80+ 2 . Inside ` ${SSLDIR} ` copy or link two files found ` lib/ossl-modules/ `
81+ (` fips.so ` or ` fips.dylib ` , and ` legacy.so ` or ` legacy.dylib ` ) to be found in ` ${SSLDIR}/lib ` .
82+ 3 . You can verify that OpenSSL was configured correctly by invoking it from ` ${SSLDIR} ` :
83+ ``` bash
84+ bin/openssl list -providers
85+ ```
86+ You should expect to see both ` default ` and ` fips ` providers, both having
87+ ` status: active ` . The ` default ` can be disabled in ` openssl.cnf ` in the
88+ ` [default] ` section.
89+
90+ ### Building Erlang with FIPS
5291
53921 . Configure and build Erlang/OTP with FIPS support:
54-
55- ``` text
56- $ cd $ERL_TOP
57- $ ./otp_build configure --enable-fips
58- ...
59- checking for FIPS_mode_set... yes
60- ...
61- $ make
62- ```
63-
64- If ` FIPS_mode_set ` returns ` no ` the OpenSSL library is not FIPS enabled and
65- crypto won't support FIPS mode either.
66-
67- 1 . Set the ` fips_mode ` configuration setting of the crypto application to ` true `
68- _ before loading the crypto module_ .
69-
70- The best place is in the ` sys.config ` system configuration file of the release.
71-
72- 1 . Start and use the crypto application as usual. However take care to avoid the
73- non-FIPS validated algorithms, they will all throw exception ` not_supported ` .
93+ ``` bash
94+ export ERL_TOP=` pwd` # where your Erlang source is located
95+ ./otp_build setup -a --enable-fips --with-ssl=${SSLDIR}
96+ ```
97+ 2 . Set the ` fips_mode ` configuration setting of the ` crypto ` application to ` true `
98+ _ before starting the ` crypto ` application_ .
99+ The best place to do so is in the ` sys.config ` system configuration file of the release,
100+ but for development you can create your own ` fips.config ` file and provide it to Erlang.
101+ 3 . Start and use the crypto application as usual. However any attempt to use
102+ non-FIPS validated algorithms will end with a ` not_supported ` exception.
103+ 4 . Verify that FIPS was enabled by calling ` crypto:info_fips() ` and ` crypto:supports() ` .
74104
75105Entering and leaving FIPS mode on a node already running crypto is not
76106supported. The reason is that OpenSSL is designed to prevent an application
@@ -125,7 +155,7 @@ those allowed by the Security Policy shall be used.
125155
126156### Avoid md5 for hashing
127157
128- Md5 is a popular choice as a hash function, but it is not secure enough to be
158+ MD5 is a popular choice as a hash function, but it is not secure enough to be
129159validated. Try to use sha instead wherever possible.
130160
131161For exceptional, non-cryptographic use cases one may consider switching to
0 commit comments