I'm struggling to understand how EVP_default_properties_is_fips_enabled() works. I cannot get this function to return nonzero unless I first call either EVP_default_properties_enable_fips() or EVP_set_default_properties(), even when the config file sets default_properties to enable fips.
Also, the return value of this function doesn't seem to have any effect on which provider gets selected (which I think is what issue #11594 describes?). My config file has the following: *[openssl_init]providers = provider_sectalg_section = alg_sect* *[provider_sect]fips = fips_sectdefault = default_sect* *[default_sect]activate = 1* *[alg_sect]default_properties = fips=yes* *.include /path/to/fips.cnf* I understand this to mean both the default provider and the fips provider will be loaded into the default context, and both of these providers will be activated. I also see that: *EVP_MD_fetch(NULL, "sha256", NULL);* returns a pointer which EVP_MD_provider() confirms as being from the fips provider (as expected). Changing this to "fips=no" in the config file results in EVP_MD_fetch() returning EVP_MD from the default provider, again as expected. However, in both cases, EVP_default_properties_is_fips_enabled() always returns zero. I don't see anything in #11594 that would explain this. Calling EVP_default_properties_enable_fips(NULL, 1) results in EVP_default_properties_is_fips_enabled() returning 1, but this does not appear to override the fips=no from the config file during EVP_MD_fetch() (which is what I believe #11594 describes). Is the result of EVP_default_properties_is_fips_enabled() supposed to take into account the default properties specified in the config file? I don't see it doing that. Also, regarding #11594, if default properties are currently still broken, why do those in the config appear to work properly? And finally the burning question: Any ETA on a fix? :-) :-) :-) Thanks, Tom.III