From akendo at akendo.eu Mon Oct 13 14:37:37 2025 From: akendo at akendo.eu (akendo) Date: Mon, 13 Oct 2025 14:37:37 +0200 Subject: [gnutls-help] Set up FIPS with gnutls 3.8.9 Message-ID: Hi everyone, I tried to enable the fips mode with gnutls 3.8.9 and failed to get it started. My compiler flags are the default compiler flags for Debian. Since I use the Debian packages for Trixie as a sample build process. All I do is adding the parameter: --enable-fips140-mode The package build is going well, and I receive a package. However, after the installation of the package, I get the following error message: gnutls-cli github.com -p443 Error in GnuTLS initialization: Error while performing self checks. global_init: Error while performing self checks By setting GNUTLS_NO_IMPLICIT_INIT the global_init error message goes away. When I check for the fips-mode, gnutls-cli reports that this is working. export GNUTLS_NO_IMPLICIT_INIT=1; gnutls-cli --fips140-mode library is in FIPS140-2 mode gnutls-cli github.com -p443 |<1>| FIPS140-2 self testing part 2 failed Reading through the documentation, I noticed that there is the statement regarding the self-test that it's possible to provide a ?-with-fips140-key for the self-test. Does this key have to be of special length since it It should be an HMAC key, correct? I'm just not sure if that's going to help here, anyone has some suggestion? My workaround is as of now to set GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS=1 PS: My kernel was boot with the FIPS mode and also OpenSSL is also in FIPS mode too. best regard, akendo