[openssl-users] /proc/sys/crypto/fips_enabled=1 is this enough to make OpenSSL to change its mode to FIPS?

Steve Marquess marquess at openssl.com
Sat May 13 19:02:07 UTC 2017

On 05/12/2017 05:17 PM, Hareesh Joshi wrote:
> Hi,
> I've a CentOS machine with 
>    1. FIPS capable OpenSSL module installed
>    2. Kernel switched to FIPS with /proc/sys/crypto/fips_enabled=1
> Will this make OpenSSL to switch to FIPS mode as well? Or do I
> necessarily need to use OPENSSL_FIPS=1 ?

OpenSSL and the OpenSSL FIPS Object Module ignore
/proc/sys/crypto/fips_enabled, that is presumably used by the Red Hat
modified version of OpenSSL.  You'll need to check with them about how
that behaves.

For a genuine FIPS capable OpenSSL you want to use FIPS_mode_set(); see
the FIPS module user guide at
https://www.openssl.org/docs/fips/UserGuide-2.0.pdf and/or the wiki at

-Steve M.

Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 301 874 2571
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list