On Mar 1, 2025, at 2:04 PM, Jouni Malinen <j@xxxxx> wrote: > What is the purpose for forcing FIPS mode to be used by default in > systemwide configuration? The patch was simple. The second patch I sent was a lot less intrusive. > I'm not sure what that claim is based on.. OpenSSL (well, at least 3.4) > reports that the algorithm cannot be fetched. There were number of cases > where hostap.git code did not pass that to upper layers, including many > RADIUS cases, and I fixed those, Thanks, that is the better fix. My tests were superficial, and I just wanted to highlight the problem and a potential solution. > I pushed out different way of addressing this internally within > crypto_openssl.c. This is done only in builds that do not include > CONFIG_FIPS=y. Thanks. > The changes I added for this will handle both disabling of FIPS mode and > explicit loading of the default provider if the fips provider is loaded. > I added this only for OpenSSL 3.x and newer since the older versions are > not really supported (well, at least freely) anymore. That makes sense. Alan DeKok. _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
