FIPS and default vs base providers
Dr Paul Dale
pauli at openssl.org
Tue Apr 4 23:04:05 UTC 2023
Confirming that the base provider is completely redundant in your scenario.
Everything in the base provider is also in the default provider.
On 5/4/23 06:10, Thomas Dwyer III wrote:
> I understand that the base provider is intended to be used in
> conjunction with the FIPS provider. I'm trying to understand what
> functionality the base provider offers, if any, if the default
> provider is already loaded & active. Our application always loads both
> the default and fips providers via configuration files. When we
> require FIPS compliance we set "fips=yes" via
> EVP_default_properties_enable_fips(). Is the base provider completely
> redundant in this scenario?
> My read of the documentation (OSSL_PROVIDER-default and
> OSSL_PROVIDER-base) as well as the encoders.inc, decoders.inc, and
> stores.inc source files leads me to believe it is not necessary to
> load the base provider if the default provider is already loaded. I
> just want to confirm that I understand this correctly.
More information about the openssl-users