OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs

Dr Paul Dale pauli at
Thu Apr 20 01:39:37 UTC 2023

It looks like you're trying to access non-approved crypto.  My 
suggestion would be to create a new library context specifically for 
this using OSSL_LIB_CTX_new().  Load only the default provider into that 
context using OSSL_PROVIDER_load().  Do not call 
EVP_default_properties_enable_fips() on it.

You should only use this new library context for non-FIPS operations.  
If there is any doubt about what is permitted and what isn't, contact 
your FIPS lab for clarification.

Paul Dale

On 20/4/23 01:35, Prasad, PCRaghavendra wrote:
> Hi Dr.Paul/Team,
> Good Morning,
> We have integrated OpenSSL 3.0.8 in our code along with fips 
> enablement. We are using python 3.11 version.
> We have used the default search path as our application directory 
> (OSSL_PROVIDER_set_default_search_path) and loaded the “base” and 
> “fips” providers and not the default provider.
> OSSL_PROVIDER_load(None, b"base")
> OSSL_PROVIDER_load(None, b"fips")
> After that, we enabled the FIPS using 
> libcrypto.EVP_default_properties_enable_fips() call.
> Should we load the default provider as well or base and fips are good 
> enough?
> Sometimes we are getting the below error message from Python 
> cryptography package
> cryptography.exceptions.InternalError: Unknown OpenSSL error. This 
> error is commonly encountered when another library is not cleaning up 
> the OpenSSL error stack. If you are using cryptography with another 
> library that uses OpenSSL try disabling it before reporting a bug. 
> Otherwise please file an issue at 
> with information on how to 
> reproduce this. ([_OpenSSLErrorWithText(code=50856204, lib=6, 
> reason=524556, reason_text=b'error:0308010C:digital envelope 
> routines::unsupported')])
> This error is intermittent is what we are observing as we have already 
> tested the complete application couple of times
> Any thoughts or inputs on this please will help us in debugging more 
> on this issue.
> Thanks,
> Raghavendra
> Internal Use - Confidential
> *From:* Dr Paul Dale <pauli at>
> *Sent:* Wednesday, March 8, 2023 11:02 AM
> *To:* Prasad, PCRaghavendra; openssl-users at
> *Cc:* Ds, Pradeep Kumar; Kuppam, Pradeep; Kappgal, Srinath
> *Subject:* Re: OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need 
> help/inputs
>     Are there any specific .h files where we can refer to this method
>     that needs to be used ( ex: evp.h )?
> #include "openssl/evp.h" should be enough to get the EVP APIs.  You 
> will need other includes for other parts of OpenSSL but that covers 
> EVP well enough.
>     still, are there any files that we can go through once before
>     calling in the fips mode?
> Turn on -Wdeprecated or equivalent in your compile and the low level 
> calls will be flagged.  They should all be deprecated.
>     One more doubt is How can we set fips enabled for the complete
>     application (process/service) while running so that if we are
>     using non-compliant algorithms/methods it should throw errors? Is
>     it possible in OpenSSL 3.0.x?
> The call you are looking for is:
> EVP_set_default_properties(libctx, "fips=yes");
> I strongly suggest reading the documentation about the FIPS provider 
> [] 
> <;!!LpKI!gwsGt_60jqaHzhWTEXZCwSn0frcRAuJbbxYQLrkbfBfkw9-Eg_mdOnYzU6EDHNOBOR25XSXKcqHcPO1X7_TtGA$> 
> and the migration guide [] 
> <;!!LpKI!gwsGt_60jqaHzhWTEXZCwSn0frcRAuJbbxYQLrkbfBfkw9-Eg_mdOnYzU6EDHNOBOR25XSXKcqHcPO2zYsa_AA$>.  
> Both the avoidance of low level calls and setting the default 
> properties are covered therein.  There are a number of other nuances 
> to trip over when using the FIPS provider.
> Paul Dale
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list