-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
src: raise error for --enable-fips when no FIPS #38859
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
bcfa6df
to
c94d2ac
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should be possible to write a test for this?
That should be possible. Sorry about the late reply (I had to give other tasks priority over this one last week) and I'll take a look at adding a test this week. Thanks |
c94d2ac
to
bd9c8ca
Compare
This commit moves the check for FIPS from the crypto module initialization to process startup. The motivation for this is that when OpenSSL is not FIPS enabled and the command line options --enable-fips, or --force-fips are used, there will only be an error raised if the crypto module is used. This can be surprising and we have gotten feedback that users assumed that there would be an error if these options were specified and FIPS is not available.
1d4d918
to
9531296
Compare
This commit moves the check for FIPS from the crypto module initialization to process startup. The motivation for this is that when OpenSSL is not FIPS enabled and the command line options --enable-fips, or --force-fips are used, there will only be an error raised if the crypto module is used. This can be surprising and we have gotten feedback that users assumed that there would be an error if these options were specified and FIPS is not available. PR-URL: #38859 Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Richard Lau <[email protected]>
Landed in 1997aa3. |
This commit moves the check for FIPS from the crypto module initialization to process startup. The motivation for this is that when OpenSSL is not FIPS enabled and the command line options --enable-fips, or --force-fips are used, there will only be an error raised if the crypto module is used. This can be surprising and we have gotten feedback that users assumed that there would be an error if these options were specified and FIPS is not available. PR-URL: #38859 Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Richard Lau <[email protected]>
Doesn't land cleanly on v14.x-staging. |
This commit moves the check for FIPS from the crypto module
initialization to process startup.
The motivation for this is that when OpenSSL is not FIPS enabled and the
command line options --enable-fips, or --force-fips are used, there will
only be an error raised if the crypto module is used. This can be
surprising and we have gotten feedback that users assumed that there
would be an error if these options were specified and FIPS is not
available.
Example output using OpenSSL 1.1.1:
Example output using OpenSSL 3.0: