Thanks John. In that case it may be more complicated to invoke the *FIPS_mode_set *API from the Python layer. Is there anyway to make the FIPS mode always enabled by default in the library layer, so that there's no need to invoke the FIPS_mode_set API? Thanks. ---------------- Your first question should be presented to the Python developers that provide support for OpenSSL. They would be the user of the OpenSSL API. I'm not a Python expert, but somewhere they would have a native layer that leverages the OpenSSL API. This native layer code would need to invoke FIPS_mode_set(). The question is whether our not they expose a knob to the Python user layer to enable/disable FIPS. Maybe someone on this mailer happens to know the answer. If not, reach out to the Python developer community. Regarding your second question, FIPS_mode_set() needs to be invoked once within each process space. Therefore, if your Python code was all running in a single process space, then you'd only need to invoke it once. But if you're spawning multiple processes, then you'll need to invoke it whenever a new process was created. On 09/14/2015 03:51 PM, security veteran wrote: >* Hi, *>>* I've built an openssl library with the FIPS objects modules, and I was *>* testing the new lib files by replacing the original library files such *>* as libcrypto.so with the new ones. *>>* From the FIPS user guide I understand that any applications which need *>* to use the OpenSSL FIPS modules will need to run the API FIPS_mode_set *>* to enable the FIPS mode. *>>* My question is, for the applications/ libraries like Python-openssl *>* which depends on the openssl libraries, how do I make the *>* Python-openssl module to run the FIPS_mode_set API, in order to *>* initialize/enable FIPS mode? *>>* Also, does the FIPS_mode_set API only need to be run once by one of *>* the applications/ libraries which use OpenSSL? *>>* Thanks for your helps! *>>>* _______________________________________________ *>* openssl-users mailing list *>* To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users <https://mta.openssl.org/mailman/listinfo/openssl-users>* -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150914/2efeea5e/attachment-0001.html>
