On Wed, Jan 28, 2015, Tom Francis wrote: > > Actually, I was thinking of the 1.x FIPS module, and OpenSSL 0.9.8, where > OpenSSL would prevent disallowed algorithms from being used, but only if you > used the EVP interfaces. You could, for example, invoke MD5 directly. Did > that change with 2.x? (it???s not something I paid much attention to, as I > always used EVP, anyway). It???s also my understanding that the private APIs > could still be used to bypass the FIPS mode algorithm checks, and that some > applications may be using those. > With 2.0 the low level calls are blocked in FIPS mode and you have to use EVP. The blocking in OpenSSL is designed to block *accidental* calls to unapproved algorithms in FIPS mode. An application can decide to bypass those checks if it wants to (for example some usages of unapproved algorithms are considered acceptable in FIPS mode) with appropriate calls. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
