On 01/27/2016 05:33 PM, cloud force wrote: > Hi everyone, > > Does OpenSSL FIPS modules keep all the OpenSSL APIs intact? > i.e. If we use the OpenSSL FIPS modules, we don't need to make any API > invocation changes on our applications side (in addition to invoking the > FIPS_mode_set API). Is that correct? OpenSSL and the OpenSSL FIPS module (technically the "OpenSSL FIPS Object Module v2.0") are separate and distinct software products. The OpenSSL FIPS module doesn't replace OpenSSL. The "FIPS capable" OpenSSL (OpenSSL built with the "fips" option in the presence of the FIPS module) will behave just like stock OpenSSL until the FIPS mode of operation is enabled. At that point many cryptographic operations are automagically disabled; but that's not the same thing as changing the API. -Steve M. -- Steve Marquess OpenSSL Software Foundation 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marquess at openssl.com gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc
