Debian’s OpenSSL 3.x (as in Trixie and Bookworm) uses the new provider-based architecture, and openssl-provider-fips is exactly what enables FIPS 140-2 mode. However, OpenSSL itself doesn’t automatically go into “FIPS mode” just because you installed the module; it needs to be explicitly configured and validated.
On Wed, Oct 29, 2025 at 3:17 AM Robert A Wooldridge < [email protected]> wrote: > Hello, My company has been using Debian servers since 2002. We have US Gov > contracts and in the near future would like to make some of our servers > fips 140-2 compliant. I have a test server set up usi > *DuckDuckGo* did not detect any trackers. More > <https://duckduckgo.com/-s1GamK2LlA9I-PlJqZd7ZSQHrB-OEMwY3NWx3FImUcOP5iiqScsTWfYFZfdXCMPjKzywpBzQCAEqcYQ4sRZa_0ILKAdKMVnBwvTzxuecRwnyBMj4oWs55w9Ha3bnbnfHdYLlIMFTTmr7eqwP64pyBPqg2ktacFLA0Po5cVf4IXBl8w8E5ueIaYE8JSo-HiS0uJ15jur9VoK2tRNFoBYKCQpoLuNs6-wsjbJCr7LYgQ> > Unable to verify sender identity > Report Spam > <https://duckduckgo.com/-s1GamK2LlA9I-PlJqZd7ZSQHrB-OEMwY3NWx3FImUcOP5iiqScsTWfYFZfdXCMPjKzywpBzQCAEqcYQ4sRZa_0ILKAdKMVnBwvTzxuecRwnyBMj4oWs55w9Ha3bnbnfHdYLlIMFTTmr7eqwP64pyBPqg2ktacFLA0Po5cVf4IXBl8w8E5ueIaYE8JSo-HiS0uJ15jur9VoK2tRNFoBYKCQpoLuNs6-wsjbJCr7LYgQ> > > Hello, > > My company has been using Debian servers since 2002. We have US Gov > contracts and in the near future would like to make some of our servers > fips 140-2 compliant. I have a test server set up using Trixie but I'm > having trouble understanding how to configure openssl with the fips > module. > > I have installed openssl-provider-fips package which I see provides > /usr/lib/x86_64-linux-gnu/ossl-modules/fips.so and I've generated a > fips.cnf file as well as updated /etc/ssl/openssl.cnf but I'm not sure what > to do after this. Can you someone give me some tips or point me in the > right direction? > > > > -- > *Bob Wooldridge* > [email protected] <[email protected]> > *EDM Incorporated* >
