Debian’s OpenSSL 3.x (as in Trixie and Bookworm) uses the new provider-based architecture, and openssl-provider-fips is exactly what enables FIPS 140-2 mode. However, OpenSSL itself doesn’t automatically go into “FIPS mode” just because you installed the module; it needs to be explicitly configured and validated.
Hello,
My company has been using Debian servers since 2002. We have US Gov contracts and in the near future would like to make some of our servers fips 140-2 compliant. I have a test server set up using Trixie but I'm having trouble understanding how to configure openssl with the fips module.
I have installed openssl-provider-fips package which I see provides /usr/lib/x86_64-linux-gnu/ossl-modules/fips.so and I've generated a fips.cnf file as well as updated /etc/ssl/openssl.cnf but I'm not sure what to do after this. Can you someone give me some tips or point me in the right direction?