Add FIPS related configuration data to the default openssl application configuration file

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12333)
This commit is contained in:
Shane Lontis 2020-07-01 14:37:32 +10:00 committed by Richard Levitte
parent 5744dacb3a
commit e45d943665
3 changed files with 61 additions and 8 deletions

View File

@ -1,7 +1,9 @@
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
# See doc/man5/config.pod for more info.
#
# This is mostly being used for generation of certificate requests,
# but may be used for auto loading of providers
# Note that you can include other files from the main configuration
# file using the .include directive.
@ -11,6 +13,9 @@
# defined.
HOME = .
# Use this in order to automatically load providers.
openssl_conf = openssl_init
# Extra OBJECT IDENTIFIER info:
# oid_file = $ENV::HOME/.oid
oid_section = new_oids
@ -23,7 +28,6 @@ oid_section = new_oids
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
@ -35,6 +39,28 @@ tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
# For FIPS
# Optionally include a file that is generated by the OpenSSL fipsinstall
# application. This file contains configuration data required by the OpenSSL
# fips provider. It contains a named section e.g. [fips_sect] which is
# referenced from the [provider_sect] below.
# Refer to the OpenSSL security policy for more information.
# .include fipsmodule.cnf
[openssl_init]
providers = provider_sect
# List of providers to load
[provider_sect]
default = default_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect
[default_sect]
# activate = 1
####################################################################
[ ca ]
default_ca = CA_default # The default ca section

View File

@ -1,7 +1,9 @@
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
# See doc/man5/config.pod for more info.
#
# This is mostly being used for generation of certificate requests,
# but may be used for auto loading of providers
# Note that you can include other files from the main configuration
# file using the .include directive.
@ -11,6 +13,9 @@
# defined.
HOME = .
# Use this in order to automatically load providers.
openssl_conf = openssl_init
# Extra OBJECT IDENTIFIER info:
# oid_file = $ENV::HOME/.oid
oid_section = new_oids
@ -23,7 +28,6 @@ oid_section = new_oids
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
@ -35,6 +39,28 @@ tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
# For FIPS
# Optionally include a file that is generated by the OpenSSL fipsinstall
# application. This file contains configuration data required by the OpenSSL
# fips provider. It contains a named section e.g. [fips_sect] which is
# referenced from the [provider_sect] below.
# Refer to the OpenSSL security policy for more information.
# .include fipsmodule.cnf
[openssl_init]
providers = provider_sect
# List of providers to load
[provider_sect]
default = default_sect
# The fips section name should match the section name inside the
# included fipsmodule.cnf.
# fips = fips_sect
[default_sect]
# activate = 1
####################################################################
[ ca ]
default_ca = CA_default # The default ca section

View File

@ -474,6 +474,7 @@ configuration files using that syntax will have to be modified.
=head1 SEE ALSO
L<openssl-x509(1)>, L<openssl-req(1)>, L<openssl-ca(1)>,
L<openssl-fipsinstall(1)>,
L<ASN1_generate_nconf(3)>,
L<EVP_set_default_properties(3)>,
L<CONF_modules_load_file(3)>,