From d0c6eb10380213211a774c01d4546889355c12cc Mon Sep 17 00:00:00 2001
From: "Alan T. DeKok" <aland@freeradius.org>
Date: Tue, 12 Aug 2025 12:53:27 -0400
Subject: [PATCH] redo "fips=no" to "-fips"

as per commit 59e262 in the v3.2.x branch.

and don't document the openssl_fips_mode flag.  No one in their
right mind needs to be enabling or disabling FIPS mode for just
one application
---
 raddb/radiusd.conf.in | 7 -------
 src/lib/tls/base.c    | 2 +-
 2 files changed, 1 insertion(+), 8 deletions(-)

diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index a9523b7ad5..7e43c739c9 100644
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -567,13 +567,6 @@ security {
 	max_attributes = 200
 
 @openssl_version_check_config@
-
-	#
-	#  openssl_fips_mode:: Enable OpenSSL FIPS mode.
-	#
-	#  This disables non-FIPS compliant digests and algorithms
-	#
-#	openssl_fips_mode = no
 }
 
 #
diff --git a/src/lib/tls/base.c b/src/lib/tls/base.c
index db8168a2bd..811b8eeddf 100644
--- a/src/lib/tls/base.c
+++ b/src/lib/tls/base.c
@@ -546,7 +546,7 @@ int fr_openssl_init(void)
  */
 int fr_openssl_fips_mode(bool enabled)
 {
-	if (!EVP_set_default_properties(NULL, enabled ? "fips=yes" : "fips=no")) {
+	if (!EVP_set_default_properties(NULL, enabled ? "fips=yes" : "-fips")) {
 		fr_tls_log(NULL, "Failed %s OpenSSL FIPS mode", enabled ? "enabling" : "disabling");
 		return -1;
 	}
-- 
2.47.3