On Thu, 2023-06-22 at 16:53 +0530, Tathagata Chakraborty wrote: > Hi, > > I am planning to use openssl 3.0.9 as a static lib and use the Fips > provider from Openssl 3.0.8 with that. Hi, that should work just fine. > > > While building the 3.0.9 statically, do I need to use the enable- > > > fips flag? No, that is not necessary. Missing enable-fips just disables the build of the fips provider but otherwise it does not change anything in the libcrypto and libssl. > > > If I do use the enable fips flag in the build of 3.0.9, then do I > > > need to use the legacy.dylib (base provider) that is produced in > > > the build?. Note my project code will be linked using the static > > > libs (libcrypto.a and libssl.a) and my code also uses things that > > > are not provided by the fips module. The legacy.dylib is the legacy provider. That is needed only if you are using legacy crypto algorithms that are inside this provider. It has to be explictly loaded by API call or configuration, otherwise it is unused. -- Tomáš Mráz, OpenSSL
