On Fri, 2023-07-07 at 12:13 -0700, TC wrote: > Hi we have an application written using openssl1 and we would like to > migrate to openssl3, and we have several questions: > > 1. Is the compiler smart enough to raise warnings for all usage of > deprecated APIs? Do we need to do any exhaustive code walkthrough to > look for them? Of course it is always better to review your code if you want to be 100% sure but compiler should show warnings for any usage of deprecated API functions. > 2. We had been ignoring the warnings via compiler flags (gcc no- > deprecated-warnings). We are wondering if that would still work if > we want to use FIPS in openssl3? The application should still work. That does not mean it will be FIPS compliant though. Actually the opposite as any use of most of the deprecated API calls makes your application inherently non-compliant with FIPS requirements because the crypto implemenation you'll be using won't be FIPS validated. > 3. Do we have to use the new provider method to pick a FIPS provider > on openssl3 if we want to use FIPS? Would that be a problem if we > don't want to migrate our deprecated APIs yet and want to continue to > ignore the warnings? Yes, that would be a problem as I wrote above. You need to use the EVP calls with properly set up FIPS provider to be FIPS compliant. -- Tomáš Mráz, OpenSSL
