OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs

Dr Paul Dale pauli at openssl.org
Wed Mar 8 05:31:30 UTC 2023


> Are there any specific .h files where we can refer to this method that 
> needs to be used ( ex: evp.h )?
>

#include "openssl/evp.h" should be enough to get the EVP APIs.  You will 
need other includes for other parts of OpenSSL but that covers EVP well 
enough.


> still, are there any files that we can go through once before calling 
> in the fips mode?
>

Turn on -Wdeprecated or equivalent in your compile and the low level 
calls will be flagged.  They should all be deprecated.


> One more doubt is How can we set fips enabled for the complete 
> application (process/service) while running so that if we are using 
> non-compliant algorithms/methods it should throw errors? Is it 
> possible in OpenSSL 3.0.x?
>

The call you are looking for is:

EVP_set_default_properties(libctx, "fips=yes");

I strongly suggest reading the documentation about the FIPS provider 
<https://www.openssl.org/docs/man3.0/man7/fips_module.html> and the 
migration guide 
<https://www.openssl.org/docs/man3.0/man7/migration_guide.html>.  Both 
the avoidance of low level calls and setting the default properties are 
covered therein.  There are a number of other nuances to trip over when 
using the FIPS provider.


Paul Dale
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230308/b9e3d21f/attachment.htm>


More information about the openssl-users mailing list