From 0a81220a01e888c3ee4ab18dfdcab6472d9e214c Mon Sep 17 00:00:00 2001 From: Pauli Date: Mon, 27 Feb 2023 10:14:43 +1100 Subject: [PATCH] Update FIPS provider documentation to note that fips=yes is mandatory This was in the notes section but an earlier comment about it not being mandatory was missed. Fixes #20376 Reviewed-by: Matt Caswell Reviewed-by: Shane Lontis (Merged from https://github.com/openssl/openssl/pull/20382) --- doc/man7/OSSL_PROVIDER-FIPS.pod | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod index 9396b5e4318..1e1601cef1b 100644 --- a/doc/man7/OSSL_PROVIDER-FIPS.pod +++ b/doc/man7/OSSL_PROVIDER-FIPS.pod @@ -29,14 +29,17 @@ L or L, as well as with other functions that take a property query string, such as L. -It isn't mandatory to query for any of these properties, except to -make sure to get implementations of this provider and none other. - -The C property can be use to make sure only FIPS approved -implementations are used for crypto operations. This may also include -other non-crypto support operations that are not in the FIPS provider, -such as asymmetric key encoders, -see L. +To be FIPS compliant, it is mandatory to include C as +part of all property queries. This ensures that only FIPS approved +implementations are used for cryptographic operations. The C +query may also include other non-crypto support operations that +are not in the FIPS provider, such as asymmetric key encoders, see +L. + +It is not mandatory to include C as part of your property +query. Including C in your property query guarantees +that the OpenSSL FIPS provider is used for cryptographic operations +rather than other FIPS capable providers. =head1 OPERATIONS AND ALGORITHMS -- 2.47.3