Here's a patch for enabling FIPS in OpenSSL - by calling FIPS_mode_set(1) - on Windows if the FIPS registry entry HKLM\System\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy\Enabled is set to 1. That's the entry that the .NET crypto libraries look at to decide whether or not to operate in FIPS mode.
I thought of submitting a pull request for adding this logic to OpenSSL, however (1) https://www.openssl.org/source/ says they are working on a new FIPS module, so I doubt they would take a pull request for OpenSSL 1.0.X and (2) For Linux, this logic doesn't exist on the standard OpenSSL distribution but only on the RHEL-specific OpenSSL patch (See method init_fips_mode() in https://git.centos.org/raw/rpms/openssl.git/c7/SOURCES!openssl-1.0.2i-fips.patch ).
Therefore, I believe the best option, at least for now, is calling FIPS_mode_set(1) in the application.
Attachment:
0001-On-Windows-call-FIPS_mode_set-1-if-FIPS-registry-ent.patch
Description: Binary data
