[openssl-dev] Question about no-* options (no-fips in particular) on 1.1 branch
William A Rowe Jr
wrowe at rowe-clan.net
Wed Apr 12 18:39:03 UTC 2017
On Wed, Apr 12, 2017 at 1:26 PM, Salz, Rich via openssl-dev
<openssl-dev at openssl.org> wrote:
>> Did the no-fips option get removed by-design? Are the no-* corollaries going
>> to be dropped going forwards?
>
> Yes. All FIPS support was removed. It could be brought back, and made a no-op, if that's a real issue.
It isn't a big problem here for me (default = no-fips, whether the
/usr/local/openssl/fips/ tree was discovered or not.) It was future
proofing a new schema before some existing fips binary might be
detected on a build box inadvertently.
But for consistency, permitting 'no-fips' for the lifespan of 1.0.2/1.1.0
seems prudent. No reason for it to survive on master.
More information about the openssl-dev
mailing list