[openssl-users] Enable FIPS mode using OPENSSL_config()

[security veteran]

Hi All:

My understand is by using OPENSSL_config(), we will be able to enable the
FIPS mode globally on the system, is that correct?

My question is, if we enable FIPS mode through configuration and using
OPENSSL_config(), does it means for all the applications which link to
OpenSSL library, the FIPS_mode_set()  function will be invoked
automatically (at some level), even if these application are not modified
to invoke the FIPS_mode_set() by themselves?

The reason I ask was mainly because I am evaluating how I should modify my
server platform and applications in order to adapt FIPS capable OpenSSLlibrary
into the platform.

>From the previous suggestions seen in this forum, it looks like the best
strategy is to only select few important applications to make them run
under FIPS mode, and that way we only need to modify these applications to
allow them invoke FIPS_mode_set().

My assumption is, for those applications which link to OpenSSL but are not
FIPS aware, even if we run OPENSSL_config() to enable FIPS mode globally,
they will still be running on non-FIPS mode and they won't be impacted or
crash due to they are not FIPS compatible. Is my understanding correct?

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20171010/e62b4256/attachment.html>