Thomas,

> I consider this a bug, of course, but at least now I know what's causing it 
> and how to work around it.

thanks for sharing your analysis. Would you mind creating a GitHub issue for 
the hang?

https://github.com/openssl/openssl/issues

Matthias


From: openssl-users <openssl-users-boun...@openssl.org> On Behalf Of Thomas 
Dwyer III
Sent: Friday, July 17, 2020 6:57 PM
To: openssl-users <openssl-users@openssl.org>
Subject: [SOLVED] Re: OpenSSL 3.0 hangs at exit with FIPS provider

It turns out the problem was caused by a misinterpretation of the phrase "add 
the following lines near the beginning" in section 7.1 of the documentation at 
https://wiki.openssl.org/index.php/OpenSSL_3.0 for enabling FIPS support. I 
added these lines to the very top of the file:


openssl_conf = openssl_init



.include /usr/local/ssl/fipsmodule.cnf



[openssl_init]

providers = provider_sect



[provider_sect]

fips = fips_sect

This caused the existing default section to now become part of the 
[provider_sect] section. Apparently any name=value line in that particular 
section where no [value] section exists causes OpenSSL to hang at exit when the 
FIPS provider is used. I consider this a bug, of course, but at least now I 
know what's causing it and how to work around it.

Regarding how to confirm which provider is actually providing a given 
algorithm, I found that EVP_MD_provider() returns NULL for any EVP_MD obtained 
via EVP_get_digestbyname() (even after it's used successfully by 
EVP_DigestInit_ex()) but it returns a valid OSSL_PROVIDER for any EVP_MD 
obtained via EVP_MD_fetch(). Is this intentional?


Tom.III

Reply via email to