Migrating to openssl3 and fips

Tomas Mraz tomas at openssl.org
Mon Jul 10 07:51:26 UTC 2023

On Fri, 2023-07-07 at 12:13 -0700, TC wrote:
> Hi we have an application written using openssl1 and we would like to
> migrate to openssl3, and we have several questions:
> 1. Is the compiler smart enough to raise warnings for all usage of
> deprecated APIs? Do we need to do any exhaustive code walkthrough to
> look for them?

Of course it is always better to review your code if you want to be
100% sure but compiler should show warnings for any usage of deprecated
API functions.

> 2. We had been ignoring the warnings via compiler flags (gcc no-
> deprecated-warnings).  We are wondering if that would still work if
> we want to use FIPS in openssl3?

The application should still work. That does not mean it will be FIPS
compliant though. Actually the opposite as any use of most of the
deprecated API calls makes your application inherently non-compliant
with FIPS requirements because the crypto implemenation you'll be using
won't be FIPS validated.

> 3. Do we have to use the new provider method to pick a FIPS provider
> on openssl3 if we want to use FIPS?  Would that be a problem if we
> don't want to migrate our deprecated APIs yet and want to continue to
> ignore the warnings?

Yes, that would be a problem as I wrote above. You need to use the EVP
calls with properly set up FIPS provider to be FIPS compliant.

Tomáš Mráz, OpenSSL

More information about the openssl-users mailing list