wolfSSL Full Linux FIPS-eval

Demo and presales only. NOT supported. NOT for production. The artifacts on this site are an unsupported best-effort build of the open-source wolfSSL. They are algorithm-aligned with wolfCrypt FIPS 140-3 certificates #4718 and #5041, but they are not the FIPS-certified bundle and are not under that certificate boundary. wolfCrypt itself is dual-licensed GPL-3.0 or commercial. For supported FIPS 140-3 validated wolfCrypt, production licensing, the actual certified code, an actual FIPS certificate, and Operational Environment (OE) work, contact facts@wolfssl.com or call +1 425 245 8247. Read the full README before using anything on this site.

Documentation:

README.md — channel overview, what is and isn't here, trust anchor, URL layout
HOWTO-debian.md — Debian Trixie / Bookworm install guide
HOWTO-fedora.md — Fedora 43 / 44 install guide
HOWTO-el.md — RHEL / Rocky / AlmaLinux / CentOS Stream 9 / 10 install guide
HOWTO-luks.md — kernel-side: libwolfssl.ko for LUKS, kernel TLS, IPsec, RNG
coverage.md — algorithm coverage matrix (what is and isn't routed through wolfCrypt)

What is this?

wolfSSL Full Linux FIPS is wolfSSL's programme for delivering FIPS 140-3 validated cryptography across the entire Linux software stack — kernel and userspace, system libraries and applications — without rewriting the customer's product. FIPS-eval is the evaluation channel that lets prospects try the userspace half of that programme on Debian Trixie or Bookworm, with one command.

Try it now

The bootstrap script auto-detects your distribution and architecture, installs the wolfSSL FIPS-eval repository keyring, and configures apt or dnf to use it. It does not install any packages by itself — the second command is your explicit consent.

Debian Trixie (13) or Bookworm (12) — amd64 or arm64

curl -fsSL https://fips-eval.wolfssl.com/install | sudo bash
sudo apt update
sudo apt install wolfssl-fips-eval-trixie   # or -bookworm

Full guide: HOWTO-debian.md

Fedora 43 or 44 — x86_64 or aarch64

curl -fsSL https://fips-eval.wolfssl.com/install | sudo bash
sudo dnf install wolfssl-fips-eval-fedora43   # or -fedora44

Full guide: HOWTO-fedora.md

RHEL / Rocky / AlmaLinux / CentOS Stream — 9 or 10, x86_64 or aarch64

curl -fsSL https://fips-eval.wolfssl.com/install | sudo bash
sudo dnf install wolfssl-fips-eval-el9   # or -el10

The same rpms install on Rocky, AlmaLinux, CentOS Stream, and RHEL at the same major version. Full guide: HOWTO-el.md

Docker / OCI evaluation image

Coming soon. Will publish to docker.io/wolfssl/debian-trixie-fips-eval and public.ecr.aws/wolfssl/debian-trixie-fips-eval once the apt repo has its first signed packages.

Pre-built AMI / qcow2 / OVA

Coming soon. AMI publication to public AWS will be at wolfssl-fips-eval-trixie-amd64-YYYYMMDD; qcow2 and OVA downloadable from this site under /downloads/.

What's covered

The FIPS-eval channel covers userspace cryptography — everything that goes through the OpenSSL 3.x provider mechanism, GnuTLS, libgcrypt, or NSS. Kernel-mode cryptography (LUKS, kernel TLS, IPsec, WireGuard) is handled separately by the wolfCrypt Linux Kernel Module and is part of the validated delivery engagement, not FIPS-eval.

Layer	OCI image (shares host kernel)	qcow2 / AMI / OVA (full system)
Kernel crypto API (KCAPI / AF_ALG)	✗ host kernel	✗ not via wolfProvider
`/dev/random`, `/dev/urandom`, `getrandom()`	✗ host kernel	✗ not via wolfProvider
LUKS / dm-crypt disk encryption	N/A	✗ not via wolfProvider
Kernel TLS / IPsec	✗ host kernel	✗ not via wolfProvider
WireGuard / WolfGuard	N/A	✗ not via wolfProvider
OpenSSL 3.x via wolfProvider	✓ eval	✓ eval
GnuTLS via `gnutls-wolfssl`	✓ eval	✓ eval
libgcrypt via `libgcrypt-wolfssl`	✓ eval	✓ eval
NSS / Firefox / Thunderbird via `wolfPKCS11`	✓ eval	✓ eval
35+ userspace apps inheriting wolfProvider	✓ eval	✓ eval
Go applications (`crypto/tls` standard library)	✗ not via wolfProvider	✗ not via wolfProvider

About Go: Go's standard library crypto is statically compiled into each Go binary and does not route through wolfProvider, regardless of system configuration. A wolf-go toolchain that transparently routes Go application crypto through wolfCrypt — analogous to Google's BoringCrypto-Go — is on the wolfSSL roadmap. No release timeline is committed.

Signing key

FIPS-eval artifacts are signed by an ECDSA P-384 (NIST secp384r1) release-signing key whose private half lives in AWS KMS hardware and never leaves it. The OpenPGP fingerprint is:

FA9AC3974B0099D415C7367319D1F0DB1F304C7B

The keyring is bundled in wolfssl-fips-eval-archive-keyring and installed automatically by the bootstrap script. The bootstrap script pins the keyring package's SHA-256, so trust on first use is anchored on the TLS certificate of this site (which is in turn pinned to wolfSSL's controlled AWS Certificate Manager issuance).

When you need validated, supported, or licensed. If your deployment must satisfy FIPS 140-3, CMMC Level 2, DoD or federal procurement, or any regime that requires a NIST-validated cryptographic module under an active certificate, you need a validated build — not a FIPS-eval build. Validated wolfCrypt is delivered per Operating Environment, scoped to your specific CPU family, kernel configuration, and build toolchain. wolfCrypt is also dual-licensed GPL-3.0 or commercial; if GPL-3.0 is incompatible with your product, you need the commercial license.

Contact wolfSSL: facts@wolfssl.com · +1 425 245 8247 · wolfssl.com/contact · FIPS 140-3 info · support & maintenance

Attribution

The pre-built images on this site are wolfSSL FIPS-eval Linux derivatives of upstream Debian, Fedora, and the RHEL family (Rocky Linux, AlmaLinux, CentOS Stream). Upstream mirrors, packages, and trademarks remain the property of the Debian Project, the Fedora Project, the Rocky Enterprise Software Foundation, and the AlmaLinux OS Foundation; this site adds the wolfSSL FIPS-eval repository on top of an otherwise-stock base.