On Mon, Mar 5, 2018 at 3:04 AM, Dr. Matthias St. Pierre < matthias.st.pie...@ncp-e.com> wrote:
> > > On 05.03.2018 11:57, Dr. Matthias St. Pierre wrote: > > > > However, I am sceptical whether this approach will be accepted, > > because there are (at least) two potential problems: > > > > * Normally, it is mandatory to check the result of FIPS_mode_set() or > > FIPS_mode() to ensure that the FIPS initialization succeeded. However, > > an application which is not FIPS-aware won't check the result. > > * It can happen that applications which have their own configuration > > and enable/disable FIPS mode explicitely, call FIPS_mode_set(0) > > afterwards. > > > > > > HTH, > > Matthias > > > > One more obstacle: In FIPS mode it is not allowed to use low level > crypto algorithms, only the EVP interface is allowed. So most of your > non-fips-aware applications will malfunction when forced into FIPS mode. > The consequence is: it's probably not possible to do it. > Did you mean if an application uses the low level crypto algorithm functions (e.g. SHA256_Init/ SHA256_Update/ SHA256_Final) then they won't work under FIPS mode (and hence may cause unpredictable issues)? > > Matthias > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
