[gnutls-help] Compiling with the FIPS option

Nikos Mavrogiannopoulos nmav at gnutls.org
Thu Jan 15 12:43:10 CET 2015

On Thu, Jan 15, 2015 at 11:44 AM, jonetsu at teksavvy.com
<jonetsu at teksavvy.com> wrote:
>> Correct, I forgot about it. You'll need to patch gnutls' fips.c to
>> use a key that agrees with the fipscheck package. I.e., apply the
>> following patch:
> Thanks.  Haven't had the opportunity to try it yet.  I have a general
> question regarding FIPS mode, about the way it works.  Is there a need
> to modify all applications using GnuTLS to add FIPS init code, or is
> there some automatic function being called when the library is loaded
> (or otherwise used) by an application, that will execute all
> FIPS-related checks and tests ?

It works transparently. The checks are executed on library load, and the default
algorithm sets are modified to contain only the FIPS140-2 allowed
ciphers. The only
issue you'll have is with applications that specifically request a
non-FIPS approved
cipher like RC4 or MD5. These applications will fail (as expected).


More information about the Gnutls-help mailing list