[openssl-users] Using FIPS mode and modifying apps

jonetsu at teksavvy.com jonetsu at teksavvy.com
Wed Jan 28 13:33:51 UTC 2015

On Mon, 26 Jan 2015 22:35:12 -0500
Tom Francis <thomas.francis.jr at pobox.com> wrote:

> This is a bad idea.  It can generally be done, and it’s probably not
> even too hard (for some uses, anyway).  But it’s a bad idea.  Here’s
> why:

Thanks for the detailed comments.  I understand the concerns, although
there's one thing I do not see clearly, that is:

> 2) Applications that don’t know they’re operating in FIPS
> mode may attempt to use algorithms that are disallowed in FIPS mode,
> but using an API that will actually succeed.  

How could this happen ?  Do you have a practical use case ?  Wouldn't
OpenSSL in FIPS mode prevent the use of such algorithm in the first
place ?


More information about the openssl-users mailing list