[gnutls-help] Set up FIPS with gnutls 3.8.9

[akendo]

Hi everyone,

I tried to enable the fips mode with gnutls 3.8.9 and failed to get it started. My compiler flags
are the default compiler flags for Debian. Since I use the Debian packages for Trixie as a sample
build process.

All I do is adding the parameter:

--enable-fips140-mode

The package build is going well, and I receive a package. However, after the installation of the
package, I get the following error message:

    gnutls-cli github.com -p443
    Error in GnuTLS initialization: Error while performing self checks.
    global_init: Error while performing self checks

By setting GNUTLS_NO_IMPLICIT_INIT the global_init error message goes away. When I check for the
fips-mode, gnutls-cli reports that this is working.

    export GNUTLS_NO_IMPLICIT_INIT=1; gnutls-cli --fips140-mode
    library is in FIPS140-2 mode

    gnutls-cli github.com -p443
    |<1>| FIPS140-2 self testing part 2 failed


Reading through the documentation, I noticed that there is the statement regarding the self-test
that it's possible to provide a –-with-fips140-key for the self-test. Does this key have to be of
special length since it It should be an HMAC key, correct?

I'm just not sure if that's going to help here, anyone has some suggestion?

My workaround is as of now to set GNUTLS_SKIP_FIPS_INTEGRITY_CHECKS=1


PS: My kernel was boot with the FIPS mode and also OpenSSL is also in FIPS mode too.


best regard,
akendo