Enable FIPS mode using OPENSSL_config()

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Enable FIPS mode using OPENSSL_config()

security veteran
Hi All:

My understand is by using OPENSSL_config(), we will be able to enable the FIPS mode globally on the system, is that correct?

My question is, if we enable FIPS mode through configuration and using OPENSSL_config(), does it means for all the applications which link to OpenSSL library, the FIPS_mode_set()  function will be invoked automatically (at some level), even if these application are not modified to invoke the FIPS_mode_set() by themselves?

The reason I ask was mainly because I am evaluating how I should modify my server platform and applications in order to adapt FIPS capable OpenSSLlibrary into the platform.

From the previous suggestions seen in this forum, it looks like the best strategy is to only select few important applications to make them run under FIPS mode, and that way we only need to modify these applications to allow them invoke FIPS_mode_set().

My assumption is, for those applications which link to OpenSSL but are not FIPS aware, even if we run OPENSSL_config() to enable FIPS mode globally, they will still be running on non-FIPS mode and they won't be impacted or crash due to they are not FIPS compatible. Is my understanding correct?

Thanks.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users