On 16/02/2021 19:40, Nagarjun J wrote: > How to verify if the application is using fips provider from > openssl-3.0.0 ( similar to fips_mode() api in openssl-fips-2.0.16) Using the FIPS provider in Openssl 3.0 works quite differently to the old FIPS module. There isn't a one-to-one correspondence to the old APIs. I suggest you make sure you read the 3.0 wiki page to get a good understand about how it works: https://wiki.openssl.org/index.php/OpenSSL_3.0 There are a number of ways to ensure that you are always using the FIPS provider (for example by ensuring that that is the only provider that is loaded). It's also possible to have multiple providers loaded but using properties to ensure that only FIPS algorithms are ever selected. If you use properties to control this then you can use EVP_default_properties_enable_fips() to set the default global properties to "fips=yes". You can then also use EVP_default_properties_is_fips_enabled() to check whether the default properties are set to "fips=yes". > and > does fips provider do run time check and through error if application > using non fips ciphers. When you attempt to use a cipher then libcrypto will attempt to find a suitable one from the available providers that have been loaded based on any property query string that is being used. As long as you configure things in the right way (as per the various options described in the wiki page above) then you will only have fips validated ciphers loaded and that match the property query. If you attempt to use some other non-validated cipher then libcrypto would throw and error because it is unable to find a matching cipher. Matt
