On Thu, Jan 15, 2015 at 05:46:22AM -0500, jonetsu at teksavvy.com wrote: > On Tue, 13 Jan 2015 21:33:49 -0500 > "jonetsu at teksavvy.com" <jonetsu at teksavvy.com> wrote: > > > So basically every app that uses libssl will have to be modified to > > add a FIPS_mode_set() call near the beginning. Is that right ? > > Is there a way to automatically have the FIPS test executed when an > application loads the library, w/o the application being modified ? Is > such a way used at all ? This is actually mandated these days. The library should do this in its ELF constructor for instance. On Linux usually triggered by /proc/sys/crypto/fips_enabled containing "1" or the environment variable OPENSSL_FORCE_FIPS_MODE=1 (at least for the certs done by SUSE and Redhat, which do not use the container blob). Ciao, Marcus
