OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs

Dr Paul Dale pauli at
Wed Mar 8 05:31:30 UTC 2023

> Are there any specific .h files where we can refer to this method that 
> needs to be used ( ex: evp.h )?

#include "openssl/evp.h" should be enough to get the EVP APIs.  You will 
need other includes for other parts of OpenSSL but that covers EVP well 

> still, are there any files that we can go through once before calling 
> in the fips mode?

Turn on -Wdeprecated or equivalent in your compile and the low level 
calls will be flagged.  They should all be deprecated.

> One more doubt is How can we set fips enabled for the complete 
> application (process/service) while running so that if we are using 
> non-compliant algorithms/methods it should throw errors? Is it 
> possible in OpenSSL 3.0.x?

The call you are looking for is:

EVP_set_default_properties(libctx, "fips=yes");

I strongly suggest reading the documentation about the FIPS provider 
<> and the 
migration guide 
<>.  Both 
the avoidance of low level calls and setting the default properties are 
covered therein.  There are a number of other nuances to trip over when 
using the FIPS provider.

Paul Dale
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list