Disable FIPS mode when RADIUS is being used
Alan DeKok
aland at deployingradius.com
Sat Mar 1 12:18:26 PST 2025
On Mar 1, 2025, at 2:04 PM, Jouni Malinen <j at w1.fi> wrote:
> What is the purpose for forcing FIPS mode to be used by default in
> systemwide configuration?
The patch was simple. The second patch I sent was a lot less intrusive.
> I'm not sure what that claim is based on.. OpenSSL (well, at least 3.4)
> reports that the algorithm cannot be fetched. There were number of cases
> where hostap.git code did not pass that to upper layers, including many
> RADIUS cases, and I fixed those,
Thanks, that is the better fix. My tests were superficial, and I just wanted to highlight the problem and a potential solution.
> I pushed out different way of addressing this internally within
> crypto_openssl.c. This is done only in builds that do not include
> CONFIG_FIPS=y.
Thanks.
> The changes I added for this will handle both disabling of FIPS mode and
> explicit loading of the default provider if the fips provider is loaded.
> I added this only for OpenSSL 3.x and newer since the older versions are
> not really supported (well, at least freely) anymore.
That makes sense.
Alan DeKok.
More information about the Hostap
mailing list