OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs

Matt Caswell matt at
Wed Mar 8 10:07:54 UTC 2023

On 08/03/2023 05:31, Dr Paul Dale wrote:

>> One more doubt is How can we set fips enabled for the complete 
>> application (process/service) while running so that if we are using 
>> non-compliant algorithms/methods it should throw errors? Is it 
>> possible in OpenSSL 3.0.x?
> The call you are looking for is:
> EVP_set_default_properties(libctx, "fips=yes");

Or just:

EVP_default_properties_enable_fips(libctx, 1);

You must call these functions for every libctx that you use (or just 
once for the default libctx if that's all you use).

These functions only restrict the EVP calls. If you use deprecated 
functions then there is a significant risk that you aren't using FIPS 

> I strongly suggest reading the documentation about the FIPS provider 
> <> and the 
> migration guide 
> <>.  Both 
> the avoidance of low level calls and setting the default properties are 
> covered therein.  There are a number of other nuances to trip over when 
> using the FIPS provider.

I'd consider the fips_module link above as essential reading for anyone 
using the FIPS module.


More information about the openssl-users mailing list