OpenSSL 3.0.x + Python 3.9.x + Enable FIPS- Need help/inputs
Matt Caswell
matt at openssl.org
Wed Mar 8 10:07:54 UTC 2023
On 08/03/2023 05:31, Dr Paul Dale wrote:
>> One more doubt is How can we set fips enabled for the complete
>> application (process/service) while running so that if we are using
>> non-compliant algorithms/methods it should throw errors? Is it
>> possible in OpenSSL 3.0.x?
>>
>
> The call you are looking for is:
>
> EVP_set_default_properties(libctx, "fips=yes");
Or just:
EVP_default_properties_enable_fips(libctx, 1);
You must call these functions for every libctx that you use (or just
once for the default libctx if that's all you use).
These functions only restrict the EVP calls. If you use deprecated
functions then there is a significant risk that you aren't using FIPS
crypto.
>
> I strongly suggest reading the documentation about the FIPS provider
> <https://www.openssl.org/docs/man3.0/man7/fips_module.html> and the
> migration guide
> <https://www.openssl.org/docs/man3.0/man7/migration_guide.html>. Both
> the avoidance of low level calls and setting the default properties are
> covered therein. There are a number of other nuances to trip over when
> using the FIPS provider.
I'd consider the fips_module link above as essential reading for anyone
using the FIPS module.
Matt
More information about the openssl-users
mailing list