[strongSwan-dev] openssl plugin FIPS modes?

Andreas Steffen andreas.steffen at strongswan.org
Mon Dec 23 19:51:03 CET 2013

Hi Zach,

the OpenSSL FIPS 2.0 User Guide


says in section 5.2 FIPS Mode Initialization:

The FIPS_mode_set() function call when invoked with any positive
argument will enable the FIPS mode of operation. Depending on the
argument it may also enable additional restrictions. For example,
an argument of 1 will enable the basic FIPS mode where all FIPS
approved algorithms are available. An argument of FIPS_SUITEB(2)
will restrict the available algorithms to those allowed by the
Suite B specification.

But using openssl-fips with strongSwan I see that 3DES still can
be used with fips_mode = 2, although 3DES is not a Suite B algorithm.
See ipsec listalgs:


So your observation is true, that there is no difference between
the settings 1 and 2.

Best regards


On 23.12.2013 16:56, Zachery Stoddard wrote:
> I've (quickly) scoured the source and the documentation, but I can't
> determine the use of fips_mode = 1 (enabled) vs 2 (suite b enabled)?  At
> first glance there doesn't appear to be any difference/distinction
> between the two.
> Could someone shed a little light on this subject?
> ~Zach
Andreas Steffen                         andreas.steffen at strongswan.org
strongSwan - the Open Source VPN Solution!          www.strongswan.org
Institute for Internet Technologies and Applications
University of Applied Sciences Rapperswil
CH-8640 Rapperswil (Switzerland)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4255 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20131223/7faceb55/attachment.bin>

More information about the Dev mailing list