-*- mode: troff; coding: utf-8 -*- Automatically generated by Pod::Man 5.0102 (Pod::Simple 3.45) Standard preamble: ========================================================================..
..
..
 \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.. ds C` ""
. ds C' ""
'br\}
. ds C`
. ds C'
'br\}
 Escape single quotes in literal strings from groff's Unicode transform. If the F register is >0, we'll generate index entries on stderr for titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index entries marked with X<> in POD. Of course, you'll have to process the output yourself in some meaningful fashion. Avoid warning from groff about undefined register 'F'...
.nr rF 0
. if \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. if !\nF==2 \{\
. nr % 0
. nr F 2
. \}
. \}
.\}
.rr rF
 ======================================================================== Title "FIPS_CONFIG 5ossl"  FIPS_CONFIG 5ossl 2025-09-16 3.5.3 OpenSSL
 For nroff, turn off justification. Always turn off hyphenation; it makes way too many mistakes in technical documents. NAME
fips_config - OpenSSL FIPS configuration
 DESCRIPTION
 Header "DESCRIPTION" A separate configuration file, using the OpenSSL 
config\|(5) syntax,
is used to hold information about the FIPS module. This includes a digest
of the shared library file, and status about the self-testing.
This data is used automatically by the module itself for two
purposes:
 "- Run the startup FIPS self-test known answer tests (KATS)." 4
 Item "- Run the startup FIPS self-test known answer tests (KATS)." This is normally done once, at installation time, but may also be set up to
run each time the module is used.
 "- Verify the module's checksum." 4
 Item "- Verify the module's checksum." This is done each time the module is used.
This file is generated by the openssl-fipsinstall\|(1) program, and
used internally by the FIPS module during its initialization.
The following options are supported. They should all appear in a section
whose name is identified by the fips option in the providers
section, as described in "Provider Configuration Module" in config\|(5).
 activate 4
 Item "activate" If present, the module is activated. The value assigned to this name is not
significant.
 conditional-errors 4
 Item "conditional-errors" The FIPS module normally enters an internal error mode if any self test fails.
Once this error mode is active, no services or cryptographic algorithms are
accessible from this point on.
Continuous tests are a subset of the self tests (e.g., a key pair test during key
generation, or the CRNG output test).
Setting this value to 
0 allows the error mode to not be triggered if any
continuous test fails. The default value of 
1 will trigger the error mode.
Regardless of the value, the operation (e.g., key generation) that called the
continuous test will return an error code if its continuous test fails. The
operation may then be retried if the error mode has not been triggered.
 module-mac 4
 Item "module-mac" The calculated MAC of the FIPS provider file.
 install-version 4
 Item "install-version" A version number for the fips install process. Should be 1.
 install-status 4
 Item "install-status" This field is deprecated and is no longer used.
 install-mac 4
 Item "install-mac" This field is deprecated and is no longer used.
 "FIPS indicator options"
 Subsection "FIPS indicator options" The following FIPS configuration options indicate if run-time checks related to
enforcement of FIPS security parameters such as minimum security strength of
keys and approved curve names are used.
A value of '1' will perform the checks, otherwise if the value is '0' the checks
are not performed and FIPS compliance must be done by procedures documented in
the relevant Security Policy.
See "OPTIONS" in openssl-fipsinstall\|(1) for further information related to these
options.
 security-checks 4
 Item "security-checks" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-no_security_checks
 tls1-prf-ems-check 4
 Item "tls1-prf-ems-check" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-ems_check
 no-short-mac 4
 Item "no-short-mac" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-no_short_mac
 drbg-no-trunc-md 4
 Item "drbg-no-trunc-md" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-no_drbg_truncated_digests
 signature-digest-check 4
 Item "signature-digest-check" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-signature_digest_check
 hkdf-digest-check 4
 Item "hkdf-digest-check" This option is deprecated.
 tls13-kdf-digest-check 4
 Item "tls13-kdf-digest-check" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-tls13_kdf_digest_check
 tls1-prf-digest-check 4
 Item "tls1-prf-digest-check" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-tls1_prf_digest_check
 sshkdf-digest-check 4
 Item "sshkdf-digest-check" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-sshkdf_digest_check
 sskdf-digest-check 4
 Item "sskdf-digest-check" This option is deprecated.
 x963kdf-digest-check 4
 Item "x963kdf-digest-check" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-x963kdf_digest_check
 dsa-sign-disabled 4
 Item "dsa-sign-disabled" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-dsa_sign_disabled
 tdes-encrypt-disabled 4
 Item "tdes-encrypt-disabled" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-tdes_encrypt_disabled
 rsa-pkcs15-pad-disabled 4
 Item "rsa-pkcs15-pad-disabled" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-rsa_pkcs15_pad_disabled
 rsa-pss-saltlen-check 4
 Item "rsa-pss-saltlen-check" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-rsa_pss_saltlen_check
 rsa-sign-x931-pad-disabled 4
 Item "rsa-sign-x931-pad-disabled" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-rsa_sign_x931_disabled
 hkdf-key-check 4
 Item "hkdf-key-check" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-hkdf_key_check
 kbkdf-key-check 4
 Item "kbkdf-key-check" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-kbkdf_key_check
 tls13-kdf-key-check 4
 Item "tls13-kdf-key-check" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-tls13_kdf_key_check
 tls1-prf-key-check 4
 Item "tls1-prf-key-check" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-tls1_prf_key_check
 sshkdf-key-check 4
 Item "sshkdf-key-check" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-sshkdf_key_check
 sskdf-key-check 4
 Item "sskdf-key-check" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-sskdf_key_check
 x963kdf-key-check 4
 Item "x963kdf-key-check" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-x963kdf_key_check
 x942kdf-key-check 4
 Item "x942kdf-key-check" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-x942kdf_key_check
 pbkdf2-lower-bound-check 4
 Item "pbkdf2-lower-bound-check" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-no_pbkdf2_lower_bound_check
 ecdh-cofactor-check 4
 Item "ecdh-cofactor-check" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-ecdh_cofactor_check
 hmac-key-check 4
 Item "hmac-key-check" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-hmac_key_check
 kmac-key-check 4
 Item "kmac-key-check" See "OPTIONS" in 
openssl-fipsinstall\|(1) 
-kmac_key_check
For example:
.Vb 8
 [fips_sect]
 activate = 1
 install-version = 1
 conditional-errors = 1
 security-checks = 1
 module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC
 install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
 install-status = INSTALL_SELF_TEST_KATS_RUN
.Ve
 NOTES
 Header "NOTES" When using the FIPS provider, it is recommended that the
\fBconfig_diagnostics option is enabled to prevent accidental use of
non-FIPS validated algorithms via broken or mistaken configuration.
See 
config\|(5).
 "SEE ALSO"
 Header "SEE ALSO" \fBconfig\|(5)
\fBopenssl-fipsinstall\|(1)
 HISTORY
 Header "HISTORY" This functionality was added in OpenSSL 3.0.
 COPYRIGHT
 Header "COPYRIGHT" Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
in the file LICENSE in the source distribution or at
<https://www.openssl.org/source/license.html>.