OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs
Dr Paul Dale
pauli at openssl.org
Wed Mar 8 05:31:30 UTC 2023
> Are there any specific .h files where we can refer to this method that
> needs to be used ( ex: evp.h )?
>
#include "openssl/evp.h" should be enough to get the EVP APIs. You will
need other includes for other parts of OpenSSL but that covers EVP well
enough.
> still, are there any files that we can go through once before calling
> in the fips mode?
>
Turn on -Wdeprecated or equivalent in your compile and the low level
calls will be flagged. They should all be deprecated.
> One more doubt is How can we set fips enabled for the complete
> application (process/service) while running so that if we are using
> non-compliant algorithms/methods it should throw errors? Is it
> possible in OpenSSL 3.0.x?
>
The call you are looking for is:
EVP_set_default_properties(libctx, "fips=yes");
I strongly suggest reading the documentation about the FIPS provider
<https://www.openssl.org/docs/man3.0/man7/fips_module.html> and the
migration guide
<https://www.openssl.org/docs/man3.0/man7/migration_guide.html>. Both
the avoidance of low level calls and setting the default properties are
covered therein. There are a number of other nuances to trip over when
using the FIPS provider.
Paul Dale
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230308/b9e3d21f/attachment.htm>
More information about the openssl-users
mailing list