Using openSSL 3.0.9 with fips (3.0.8)

Tomas Mraz tomas at
Fri Jun 23 07:29:03 UTC 2023

On Thu, 2023-06-22 at 16:53 +0530, Tathagata Chakraborty wrote:
> Hi,
> I am planning to use openssl 3.0.9 as a static lib and use the Fips
> provider from Openssl 3.0.8 with that. 


that should work just fine.

> > > While building the 3.0.9 statically, do I need to use the enable-
> > > fips flag?

No, that is not necessary. Missing enable-fips just disables the build
of the fips provider but otherwise it does not change anything in the
libcrypto and libssl.

> > > If I do use the enable fips flag in the build of 3.0.9, then do I
> > > need to use the legacy.dylib (base provider) that is produced in
> > > the build?. Note my project code will be linked using the static
> > > libs (libcrypto.a and libssl.a) and my code also uses things that
> > > are not provided by the fips module.

The legacy.dylib is the legacy provider. That is needed only if you are
using legacy crypto algorithms that are inside this provider. It has to
be explictly loaded by API call or configuration, otherwise it is

Tomáš Mráz, OpenSSL

More information about the openssl-users mailing list