<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body>
It was meant for the second method only. The first method is using
different library contexts to distinguish FIPS algorithms. Using
the properties in addition is harmless and might prevent a future
mistake that breaks compliance.<br>
<br>
Pauli<br>
<br>
<div class="moz-cite-prefix">On 26/10/21 4:46 am, Jason Schultz
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:SN6PR10MB2653D87C3349331FC206E444C7839@SN6PR10MB2653.namprd10.prod.outlook.com">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<style type="text/css" style="display:none;">P {margin-top:0;margin-bottom:0;}</style>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
Thanks again. I think most of that makes sense. Going back to
your initial response, there is something I'm not clear on. </div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
The second method you explained (which I don't plan to use)
starting with "Alternatively,..." included the calls to
OSSL_PRIVIDER_load(), and then discussed calling the following
API for FIPS:</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<pre style="font-family:courier, "courier new", monospace;font-size:14px;overflow-wrap:break-word;margin:0em;background-color:rgb(255, 255, 255)"> EVP_set_default_properties(NULL, “fips=yes”);</pre>
<br>
</div>
<div style="font-family: Calibri, Helvetica, sans-serif;
font-size: 12pt; color: rgb(0, 0, 0);">
<span></span></div>
<div>
<div style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
Was the EVP_set_default_properties() call specifically and
only for the 2nd method, or did that API call apply to both
the first and second methods you explained? From reading the
doc for that call, it seems like I should be doing it if I use
the first method as well.</div>
<div style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
Regards,</div>
<div style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
Jason</div>
<div style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font style="font-size:11pt"
face="Calibri, sans-serif" color="#000000"><b>From:</b>
openssl-users <a class="moz-txt-link-rfc2396E" href="mailto:openssl-users-bounces@openssl.org"><openssl-users-bounces@openssl.org></a> on
behalf of Dr Paul Dale <a class="moz-txt-link-rfc2396E" href="mailto:pauli@openssl.org"><pauli@openssl.org></a><br>
<b>Sent:</b> Sunday, October 24, 2021 11:12 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:openssl-users@openssl.org">openssl-users@openssl.org</a>
<a class="moz-txt-link-rfc2396E" href="mailto:openssl-users@openssl.org"><openssl-users@openssl.org></a><br>
<b>Subject:</b> Re: OpenSSL 3.0 FIPS questions</font>
<div> </div>
</div>
<div>The configuration shouldn't have much impact. You will
need a fips section specifying where the integrity check data
are. You shouldn't need base or default sections.<br>
<br>
<br>
Pauli<br>
<br>
<div class="x_moz-cite-prefix">On 25/10/21 5:23 am, Jason
Schultz wrote:<br>
</div>
<blockquote type="cite">
<div style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<span id="" title="" class="">Thank you </span>for your
response. I think all of that makes sense, and seems to
accomplish what I want programmatically, limiting it to my
application. I guess the only question I have is what
about the config files? Should they remain as they were
installed, or do I need to provide sections for fips,
base, default, etc?</div>
<div style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
Regards,</div>
<div style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
Jason</div>
<div style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div>
<div style="font-family:Calibri,Helvetica,sans-serif;
font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="x_divRplyFwdMsg" dir="ltr"><font
style="font-size:11pt" face="Calibri, sans-serif"
color="#000000"><b>From:</b> openssl-users
<a class="x_moz-txt-link-rfc2396E"
href="mailto:openssl-users-bounces@openssl.org"
moz-do-not-send="true">
<openssl-users-bounces@openssl.org></a> on
behalf of Dr Paul Dale <a
class="x_moz-txt-link-rfc2396E"
href="mailto:pauli@openssl.org"
moz-do-not-send="true">
<pauli@openssl.org></a><br>
<b>Sent:</b> Sunday, October 24, 2021 12:28 AM<br>
<b>To:</b> <a class="x_moz-txt-link-abbreviated"
href="mailto:openssl-users@openssl.org"
moz-do-not-send="true">
openssl-users@openssl.org</a> <a
class="x_moz-txt-link-rfc2396E"
href="mailto:openssl-users@openssl.org"
moz-do-not-send="true">
<openssl-users@openssl.org></a><br>
<b>Subject:</b> Re: OpenSSL 3.0 FIPS questions</font>
<div> </div>
</div>
<div>Oops, the second time this occurs "<font
face="monospace">defp = OSSL_PROVIDER_load(<span
style=""></span>non_fips_libctx, "default");" it
should be "</font><font face="monospace">defp =
OSSL_PROVIDER_load(NULL, "default");"</font><br>
<br>
<br>
Pauli<br>
<br>
<div class="x_x_moz-cite-prefix">On 24/10/21 10:06 am,
Dr Paul Dale wrote:<br>
</div>
<blockquote type="cite"><font face="monospace">defp =
OSSL_PROVIDER_load(<span style=""></span>non_fips_libctx,
"default");</font></blockquote>
<br>
</div>
</div>
</blockquote>
<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>