On Wed, Nov 06, 2013, Karthik Krishnamurthy wrote: > I have an application built across various Unix flavors that uses > OpenSSL for SSL/TLS communication. I wanted to enable FIPS mode for my > application. But, it seems like not all OpenSSL version provides the > FIPS_mode_set wrapper function. > > Basically, I want to be able to seamlessly call FIPS_mode_set and > based on whether the libcrypto.so that gets loaded at runtime was > built with OPENSSL_FIPS or not, it should return 1 or 0. This is > something that OpenSSL 1.0.1 and later provides due to the presence of > FIPS_mode_set wrapper available in o_fips.c. How could I achieve > something like this in older OpenSSL versions? > > One obvious way is to dlopen the OpenSSL library and then later dlsym > FIPS_mode_set. Is there another way to accomplish this? >
FIPS_mode_set is only present in FIPS capable versions of OpenSSL 0.9.8: there it is implemented in the validated module itself. OpenSSL versions of OpenSSL 1.0.1 and later always include an FIPS_mode_set function but it just returns an error if OpenSSL isn't FIPS capable. So without modifying OpenSSL dlopen/dlsym would work on other versions of OpenSSL. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
