# wolfSSL Full Linux FIPS — Evaluation Channel
Welcome to the wolfSSL Full Linux FIPS-eval channel, served at
. This is the presales evaluation
package repository for wolfSSL's Full Linux FIPS stack: signed apt and
dnf repositories, ready for `curl | bash` bootstrap on Debian, Fedora,
and the RHEL family (Rocky, AlmaLinux, CentOS Stream, RHEL).
## READ THIS FIRST
**This is a demo and presales evaluation channel. It is NOT supported
and is NOT for production use.**
The packages served by this channel are NOT the FIPS-certified
wolfCrypt bundle. They are an unsupported best-effort build of the
upstream open-source wolfSSL that approximates the wolfCrypt FIPS 140-3
algorithm boundary (CMVP certificates #4718 and #5041) so you can
evaluate the interface and integration story before purchasing the
real thing.
The wolfCrypt cryptography engine itself is dual-licensed: **GPL-3.0
or commercial**. The GPL-3.0 build available through this channel
carries copyleft obligations. If GPL-3.0 is incompatible with your
product or distribution model, you need the commercial license.
**For supported FIPS 140-3 validated wolfCrypt, production licensing,
FIPS certificate and Operational Environment (OE) work, and any
production support: contact wolfSSL Inc. See "Getting help, support,
sales, licensing, and FIPS certification" at the bottom of this
document.**
FIPS-eval is unsupported. Use it to evaluate, demo, and prototype, and
then talk to us.
## Quick start — pick your platform
| Platform | Versions supported | Read this |
|---|---|---|
| Debian | Trixie (13), Bookworm (12) — amd64 + arm64 | [HOWTO-debian.md](HOWTO-debian.md) |
| Fedora | 43, 44 — x86_64 + aarch64 | [HOWTO-fedora.md](HOWTO-fedora.md) |
| RHEL / Rocky / AlmaLinux / CentOS Stream | 9, 10 — x86_64 + aarch64 | [HOWTO-el.md](HOWTO-el.md) |
| OCI container image (Debian) | Trixie + Bookworm — linux/amd64 + linux/arm64 | [HOWTO-oci.md](HOWTO-oci.md) |
For the **kernel-side** of the Full Linux FIPS story (loading
`libwolfssl.ko` as the in-kernel crypto provider for LUKS / dm-crypt,
kernel TLS, IPsec, and the kernel RNG), see [HOWTO-luks.md](HOWTO-luks.md).
The kernel module is not in the FIPS-eval evaluation channel; it is
delivered through wolfSSL's supported Full Linux FIPS engagement.
Container deployments share the host kernel by construction, so the
kernel-side story is independent of which container artifact you use.
For the algorithm coverage matrix — what is and isn't routed through
wolfCrypt by this evaluation channel — see [coverage.md](coverage.md).
If you're not sure which guide applies to you, the bootstrap script
auto-detects your distribution. Every apt/dnf-based platform uses the
same two-line install pattern:
```
curl -fsSL https://fips-eval.wolfssl.com/install | sudo bash
sudo install
```
The exact meta-package name varies by distro — see the per-platform
HOWTO.
For the **container image** path, the recipe is `curl` +
`docker load` from `https://fips-eval.wolfssl.com/oci/` rather than
`docker pull`. Images are not pushed to Docker Hub, ECR Public, or
GHCR yet — that auth-coordination work is on the roadmap. See
[HOWTO-oci.md](HOWTO-oci.md) for the full recipe.
## What you can install from this channel
| Package | What it is |
|---|---|
| `libwolfssl` / `wolfssl` | wolfSSL TLS/SSL + wolfCrypt cryptography library (5.9.1, FIPS-approximating algorithm surface) |
| `libwolfprov` | wolfProvider — the OpenSSL 3.x provider that routes OpenSSL crypto into wolfSSL (1.1.1) |
| `wolfssl-fips-eval-archive-keyring` | Trust anchor (the OpenPGP public key for this repository) |
| `wolfssl-fips-eval-` | Convenience meta-package that pulls the above plus a FIPS-aligned userspace (cryptsetup, krb5, openssh, x11vnc) |
On Debian we ship Mode-2-minimal patched variants of cryptsetup, krb5,
openssh, and x11vnc. On Fedora and EL we ship stock distribution
versions of those apps (Fedora's and Red Hat's crypto-policies
frameworks already cover most of the same ground).
## What FIPS-eval is NOT (the honest list)
This is not optional reading. Every bullet matters.
- **It is not a FIPS 140-3 validated cryptographic module.** It is an
open-source wolfSSL build that approximates the validated module's
algorithm set so you can evaluate the interface and integration
story. Production deployments that require FIPS validation must use
the certified wolfCrypt module, which is a separate purchase. The
CMVP-issued FIPS 140-3 certificates referenced by this channel
(#4718, #5041) cover that certified module, NOT this evaluation
build.
- **It is not the actual FIPS-certified bundle.** A FIPS-certified
deployment requires the certified wolfCrypt module source, the
matching Operational Environment (OE) from the CMVP certificate, and
in many cases an OE add to extend the certificate to your specific
platform. None of that is in this channel.
- **It is not supported.** No SLA, no CVE response process, no support
pipeline.
- **It is not for production.** Treat it as a demo binary. Use it on
evaluation laptops, lab machines, and CI sandboxes. Do not deploy it
to anything that processes real data, real traffic, or real
customers.
- **It does not include FIPS-mode operational self-tests.** The
certified wolfCrypt module includes power-on self-tests (POST),
continuous random-number-generator health tests, and integrity
checking of the cryptographic boundary. This evaluation build does
not run those tests at startup.
- **The license is GPL-3.0.** wolfCrypt and wolfSSL are dual-licensed:
GPL-3.0 OR commercial. The build distributed by this channel is the
GPL-3.0 build. If GPL-3.0 copyleft is incompatible with your
product, you need a commercial license — contact wolfSSL.
- **Two named coverage gaps affect specific workflows.** ChaCha20-Poly1305
is removed from the default SSH cipher offer (modern SSH clients fall
back transparently to AES-GCM); ChaCha20-Poly1305 is not yet a
NIST-approved FIPS 140-3 algorithm so this is a NIST policy pathway,
not a wolfSSL engineering pathway. Separately, the SP 800-56C
Single-Step KDF (SSKDF) is not yet inside the wolfCrypt FIPS module
boundary covered by certificates #4718 and #5041 — it is intended to
enter the boundary at wolfCrypt FIPS 7.0.0 (CMVP-completion timeline
not yet published by wolfSSL). This affects exactly one bounded
workflow on this channel: `systemd-cryptenroll --tpm2-device-key=…`
doing *offline* TPM2-LUKS pre-sealing against an *ECC* device public
key; RSA device keys work, online enrollment with an attached TPM
works, boot-time TPM2 LUKS unlock works. krb5 PKINIT works (patched
to use an in-tree SSKDF fallback that wolfProvider services via
digest-call interception). See `HOWTO-debian.md` "What FIPS-eval is
NOT" and `coverage-manifest.md` "Known userspace coverage gaps and
forward roadmap" for the full details.
## Cryptographic trust anchor
All repository metadata served by this channel is signed by a single
key:
- **Algorithm**: ECDSA P-384 (FIPS-approved curve, matching the curves
in wolfCrypt FIPS 140-3 certs #4718 and #5041)
- **Fingerprint**: `FA9A C397 4B00 99D4 15C7 3673 19D1 F0DB 1F30 4C7B`
- **User ID**: `wolfSSL FIPS-eval Release Signing Key `
- **Private key location**: AWS KMS, not stored on disk anywhere
The same key signs both the Debian `Release` / `InRelease` files (apt
verifies on every `apt update`) and the Fedora / EL `repomd.xml.asc`
files (dnf verifies on every refresh). The keyring deb and the
keyring rpms both install this public key as `/usr/share/keyrings/`
(Debian) or `/etc/pki/rpm-gpg/` (Fedora, EL).
## What the bootstrap does
The single-line bootstrap (`curl -fsSL https://fips-eval.wolfssl.com/install | sudo bash`):
1. Detects your distribution and architecture from `/etc/os-release`
and `uname -m`. Supported: Debian Trixie/Bookworm, Fedora 43/44,
RHEL/Rocky/Alma/CentOS Stream 9/10. Other distros refuse with a
clear error.
2. Downloads the appropriate keyring package (a `.deb` for Debian, a
`.rpm` for the rpm distros) and verifies its integrity. On Debian
the SHA-256 of the keyring deb is pinned in the bootstrap script
itself; on Fedora and EL the OpenPGP key inside the keyring rpm is
imported into `rpm`'s keystore via the rpm's own `%post` scriptlet.
3. Configures `apt` or `dnf` to know about this repository, signed by
the installed key.
4. Stops. The bootstrap does NOT install any cryptography packages.
That is left as an explicit second step so nothing changes by
surprise.
The bootstrap script is the same file regardless of distro — read it
at before piping to bash.
## File and URL layout under this channel
```
https://fips-eval.wolfssl.com/
├── / (HTML landing page)
├── /install (bootstrap shell script, autodetects distro)
├── /README.md (this file)
├── /HOWTO-debian.md (Debian-specific install guide)
├── /HOWTO-fedora.md (Fedora-specific install guide)
├── /HOWTO-el.md (RHEL/Rocky/Alma/CentOS Stream guide)
├── /HOWTO-oci.md (container image guide)
├── /keyring/
│ ├── wolfssl-fips-eval-archive-keyring_latest_all.deb
│ ├── wolfssl-fips-eval-archive-keyring-latest.fc43.noarch.rpm
│ ├── wolfssl-fips-eval-archive-keyring-latest.fc44.noarch.rpm
│ ├── wolfssl-fips-eval-archive-keyring-latest.el9.noarch.rpm
│ └── wolfssl-fips-eval-archive-keyring-latest.el10.noarch.rpm
├── /debian/ (apt repo: trixie + bookworm × amd64 + arm64)
├── /fedora/
│ ├── 43/{x86_64,aarch64}/ (dnf repo for Fedora 43)
│ └── 44/{x86_64,aarch64}/ (dnf repo for Fedora 44)
├── /el/
│ ├── 9/{x86_64,aarch64}/ (dnf repo for EL 9: Rocky 9, Alma 9, CentOS Stream 9, RHEL 9)
│ └── 10/{x86_64,aarch64}/ (dnf repo for EL 10: Rocky 10, Alma 10, CentOS Stream 10, RHEL 10)
└── /oci/ (OCI container images for Debian Trixie + Bookworm)
├── debian-trixie-fips-eval/
│ ├── latest/{amd64.tar,arm64.tar,oci-layout.tar,SHA256SUMS,README.md}
│ └── /{amd64.tar,arm64.tar,oci-layout.tar,SHA256SUMS,README.md}
└── debian-bookworm-fips-eval/
├── latest/{amd64.tar,arm64.tar,oci-layout.tar,SHA256SUMS,README.md}
└── /{amd64.tar,arm64.tar,oci-layout.tar,SHA256SUMS,README.md}
```
## Demonstrating the integration
After install, the wolfProvider OpenSSL 3.x provider lives at:
- Debian: `/usr/lib//ossl-modules/libwolfprov.so` + config
snippet at `/etc/ssl/openssl.cnf.d/wolfprovider.conf`
- Fedora and EL: `/usr/lib64/ossl-modules/libwolfprov.so` + config
snippet at `/etc/pki/tls/openssl.cnf.d/wolfprovider.conf`
To see it actually route crypto:
```
# Per-command (Debian path shown; EL/Fedora uses /etc/pki/tls/...)
OPENSSL_CONF=/etc/ssl/openssl.cnf.d/wolfprovider.conf openssl list -providers
```
Expected:
```
Providers:
libwolfprov
name: wolfSSL Provider
version: 1.1.1
status: active
```
To see real algorithm dispatch into wolfSSL:
```
OPENSSL_CONF=/etc/ssl/openssl.cnf.d/wolfprovider.conf \
openssl list -digest-algorithms | grep wolfprov
```
The `@ libwolfprov` suffix means OpenSSL is routing that algorithm
through wolfProvider, which routes it through wolfCrypt inside
wolfSSL.
For deeper proof — including counting actual wolfCrypt function calls
during a real operation — see the per-platform HOWTO files.
## Getting help, support, sales, licensing, and FIPS certification
This channel is unsupported. For everything that matters in a real
deployment — support, production licensing, the actual FIPS-certified
code, an actual FIPS certificate, and Operational Environment (OE)
work to extend that certificate to your platform — talk to wolfSSL Inc.
**Contact wolfSSL:**
- Email:
- Phone: +1 425 245 8247
- Web:
- Products:
- FIPS 140-3 information:
- Licensing:
- Support & Maintenance:
**Download the supported, licensed wolfSSL:**