[openssl-users] How to enable FIPS mode system-wide for the FIPS capable OpenSSL?

security veteran security.veteran at gmail.com
Mon Feb 1 21:35:19 UTC 2016

Thanks Steve.

I think the way to use OPENSSL_config() and openssl.conf basically still
requires each application to explicitly invoke OPENSSL_config() API in
order to truly enable the FIPS mode, is that correct?

If that's the case, then basically there's no way to really globally enable
the FIPS mode in the OpenSSL library in a system-wide way, so that all the
applications which use OpenSSL (libcrypto to be more specific) will be
running under FIPS mode by default (i.e. without the needs of modification
tomake them invoke either OPENSSL_config() or FIPS_mode_set() API). Is that

The reason I ask was mainly because I am evaluating how I should modify my
server platform and applications in order to adapt FIPS capable OpenSSL
library into the platform.

Thanks and I truly appreciate your answers and helps.

On Fri, Jan 29, 2016 at 6:31 AM, Steve Marquess <marquess at openssl.com>

> On 01/28/2016 07:11 PM, security veteran wrote:
> > Hi All:
> >
> > Is there a way to enable FIPS mode globally, instead of having to
> > explicitly invoke the FIPS_mode_set() API from each application, for
> > enabling the FIPS mode?
> >
> > ...
> Kinda-sorta, via OPENSSL_config() and openssl.conf. See the FIPS user
> guide, https://openssl.org/docs/fips/UserGuide-2.0.pdf, section 5.2.
> -Steve M.
> --
> Steve Marquess
> OpenSSL Software Foundation
> 1829 Mount Ephraim Road
> Adamstown, MD  21710
> +1 877 673 6775 s/b
> +1 301 874 2571 direct
> marquess at openssl.com
> gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160201/041bf762/attachment.html>

More information about the openssl-users mailing list