[openssl-users] OpenSSL FIPS modules and APIs compatibility

Steve Marquess marquess at openssl.com
Wed Jan 27 22:54:27 UTC 2016

On 01/27/2016 05:33 PM, cloud force wrote:
> Hi everyone,
> Does OpenSSL FIPS modules keep all the OpenSSL APIs intact?
> i.e. If we use the OpenSSL FIPS modules, we don't need to make any API
> invocation changes on our applications side (in addition to invoking the
> FIPS_mode_set API). Is that correct?

OpenSSL and the OpenSSL FIPS module (technically the "OpenSSL FIPS
Object Module v2.0") are separate and distinct software products. The
OpenSSL FIPS module doesn't replace OpenSSL.

The "FIPS capable" OpenSSL (OpenSSL built with the "fips" option in the
presence of the FIPS module) will behave just like stock OpenSSL until
the FIPS mode of operation is enabled. At that point many cryptographic
operations are automagically disabled; but that's not the same thing as
changing the API.

-Steve M.

Steve Marquess
OpenSSL Software Foundation
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list