The Doctor wrote:
That being said, how do you get openssl to compile with FIPS
and be backwards compatable at the same time?
That is what the FIPS mode is for - the library built supports all algorithms
and when in FIPS mode it disables the use of non-approved algorithms.
A single application can work in both FIPS and non-FIPS mode. You can add in
code to choose which mode to be in on a per-connection basis if that is what
your application requires.
See the usage of FIPS_mode_set()
Note also that due to an implementation quirk you need to clear the currently
set RNG when switching back into FIPS mode.
i.e.
RAND_set_rand_method(NULL);
FIPS_set_mode(1);
Tim.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
