For historical reasons going way back to the earliest days of the
FIPS Object Module, we modified libcrypto to add a constructor
function that reads a configuration file and calls FIPS_mode_set()
to enable or disable FIPS mode. This mechanism ensures that FIPS
mode is enabled for all applications system-wide. I need to preserve
this functionality with OpenSSL 3.x, even for applications that
might explicitly set OPENSSL_CONF to point at some other
configuration (effectively forcing them to fail if that other
configuration does not have a valid FIPS section from "openssl
fipsinstall"). I'd like to confirm that with OpenSSL 3.x and the new
FIPS provider, is it valid to call
EVP_default_properties_enable_fips(NULL, 1) from a libcrypto
constructor prior to main() or any other OpenSSL APIs getting
invoked?
Thanks,
Tom.III
