[openssl-users] Using FIPS mode and modifying apps

Dr. Stephen Henson steve at openssl.org
Wed Jan 28 15:31:58 UTC 2015

On Wed, Jan 28, 2015, Tom Francis wrote:

> Actually, I was thinking of the 1.x FIPS module, and OpenSSL 0.9.8, where
> OpenSSL would prevent disallowed algorithms from being used, but only if you
> used the EVP interfaces. You could, for example, invoke MD5 directly.  Did
> that change with 2.x?  (it???s not something I paid much attention to, as I
> always used EVP, anyway).  It???s also my understanding that the private APIs
> could still be used to bypass the FIPS mode algorithm checks, and that some
> applications may be using those.

With 2.0 the low level calls are blocked in FIPS mode and you have to use EVP.

The blocking in OpenSSL is designed to block *accidental* calls to unapproved
algorithms in FIPS mode. An application can decide to bypass those checks
if it wants to (for example some usages of unapproved algorithms are 
considered acceptable in FIPS mode) with appropriate calls.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list