{
    "mode": "man",
    "parameter": "fips_config",
    "section": "5ssl",
    "url": "https://www.chedong.com/phpMan.php/man/fips_config/5ssl/json",
    "generated": "2026-05-30T07:09:01Z",
    "sections": {
        "NAME": {
            "content": "fipsconfig - OpenSSL FIPS configuration\n",
            "subsections": []
        },
        "DESCRIPTION": {
            "content": "A separate configuration file, using the OpenSSL config(5) syntax, is used to hold\ninformation about the FIPS module. This includes a digest of the shared library file, and\nstatus about the self-testing.  This data is used automatically by the module itself for two\npurposes:\n\n- Run the startup FIPS self-test known answer tests (KATS).\nThis is normally done once, at installation time, but may also be set up to run each time\nthe module is used.\n\n- Verify the module's checksum.\nThis is done each time the module is used.\n\nThis file is generated by the openssl-fipsinstall(1) program, and used internally by the FIPS\nmodule during its initialization.\n\nThe following options are supported. They should all appear in a section whose name is\nidentified by the fips option in the providers section, as described in \"Provider\nConfiguration Module\" in config(5).\n",
            "subsections": [
                {
                    "name": "activate",
                    "content": "If present, the module is activated. The value assigned to this name is not significant.\n"
                },
                {
                    "name": "install-version",
                    "content": "A version number for the fips install process. Should be 1.\n"
                },
                {
                    "name": "conditional-errors",
                    "content": "The FIPS module normally enters an internal error mode if any self test fails.  Once this\nerror mode is active, no services or cryptographic algorithms are accessible from this\npoint on.  Continuous tests are a subset of the self tests (e.g., a key pair test during\nkey generation, or the CRNG output test).  Setting this value to 0 allows the error mode\nto not be triggered if any continuous test fails. The default value of 1 will trigger the\nerror mode.  Regardless of the value, the operation (e.g., key generation) that called\nthe continuous test will return an error code if its continuous test fails. The operation\nmay then be retried if the error mode has not been triggered.\n"
                },
                {
                    "name": "security-checks",
                    "content": "This indicates if run-time checks related to enforcement of security parameters such as\nminimum security strength of keys and approved curve names are used.  A value of '1' will\nperform the checks, otherwise if the value is '0' the checks are not performed and FIPS\ncompliance must be done by procedures documented in the relevant Security Policy.\n"
                },
                {
                    "name": "module-mac",
                    "content": "The calculated MAC of the FIPS provider file.\n"
                },
                {
                    "name": "install-status",
                    "content": "An indicator that the self-tests were successfully run.  This should only be written\nafter the module has successfully passed its self tests during installation.  If this\nfield is not present, then the self tests will run when the module loads.\n"
                },
                {
                    "name": "install-mac",
                    "content": "A MAC of the value of the install-status option, to prevent accidental changes to that\nvalue.  It is written-to at the same time as install-status is updated.\n\nFor example:\n\n[fipssect]\nactivate = 1\ninstall-version = 1\nconditional-errors = 1\nsecurity-checks = 1\nmodule-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC\ninstall-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C\ninstall-status = INSTALLSELFTESTKATSRUN\n"
                }
            ]
        },
        "NOTES": {
            "content": "When using the FIPS provider, it is recommended that the configdiagnostics option is enabled\nto prevent accidental use of non-FIPS validated algorithms via broken or mistaken\nconfiguration.  See config(5).\n",
            "subsections": []
        },
        "SEE ALSO": {
            "content": "config(5) openssl-fipsinstall(1)\n",
            "subsections": []
        },
        "COPYRIGHT": {
            "content": "Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved.\n\nLicensed under the Apache License 2.0 (the \"License\").  You may not use this file except in\ncompliance with the License.  You can obtain a copy in the file LICENSE in the source\ndistribution or at <https://www.openssl.org/source/license.html>.\n\n\n\n3.0.2                                        2026-04-07                            FIPSCONFIG(5SSL)",
            "subsections": []
        }
    },
    "summary": "fipsconfig - OpenSSL FIPS configuration",
    "flags": [],
    "examples": [],
    "see_also": [
        {
            "name": "config",
            "section": "5",
            "url": "https://www.chedong.com/phpMan.php/man/config/5/json"
        },
        {
            "name": "openssl-fipsinstall",
            "section": "1",
            "url": "https://www.chedong.com/phpMan.php/man/openssl-fipsinstall/1/json"
        }
    ]
}