EVP_default_properties_enable_fips()
Thomas Dwyer III
thomas.dwyer at oracle.com
Thu Feb 16 20:51:12 UTC 2023
For historical reasons going way back to the earliest days of the FIPS
Object Module, we modified libcrypto to add a constructor function that
reads a configuration file and calls FIPS_mode_set() to enable or
disable FIPS mode. This mechanism ensures that FIPS mode is enabled for
all applications system-wide. I need to preserve this functionality with
OpenSSL 3.x, even for applications that might explicitly set
OPENSSL_CONF to point at some other configuration (effectively forcing
them to fail if that other configuration does not have a valid FIPS
section from "openssl fipsinstall"). I'd like to confirm that with
OpenSSL 3.x and the new FIPS provider, is it valid to call
EVP_default_properties_enable_fips(NULL, 1) from a libcrypto constructor
prior to main() or any other OpenSSL APIs getting invoked?
Thanks,
Tom.III
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230216/477dc3b2/attachment.htm>
More information about the openssl-users
mailing list