change "fips=no" to "-fips"

based on discussions with the OpenSSL developers in

https://github.com/FreeRADIUS/freeradius-server/issues/5631

and

https://docs.openssl.org/3.5/man7/property/#global-and-local

diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index a9523b7ad597d6893aecb0475bcf69f7d053984d..48f89f68fab0f2d710e6e5d11974c74f94bc82c3 100644 (file)
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -569,9 +569,19 @@ security {
 @openssl_version_check_config@
 
        #
-       #  openssl_fips_mode:: Enable OpenSSL FIPS mode.
+       #  openssl_fips_mode:: Disable OpenSSL FIPS mode.
        #
-       #  This disables non-FIPS compliant digests and algorithms
+       #  Setting this to "yes" means "use whatever FIPS mode is
+       #  available on the system".
+       #
+       #  Setting this to "no" means "disable FIPS mode just for
+       #  FreeRADIUS".
+       #
+       #  FreeRADIUS MUST disable FIPS mode in order to use MD4 and
+       #  MD5 from the OpenSSL APIs.
+       #
+       #  This setting should only be used then the system as a whole
+       #  enables FIPS, and you still want to use RADIUS.
        #
 #      openssl_fips_mode = no
 }

diff --git a/src/lib/tls/base.c b/src/lib/tls/base.c
index db8168a2bd97e71fe506ed2868772f3ab4d8abd4..447e54af73c09243d8f097445e3825f126bbae52 100644 (file)
--- a/src/lib/tls/base.c
+++ b/src/lib/tls/base.c
@@ -546,8 +546,10 @@ int fr_openssl_init(void)
  */
 int fr_openssl_fips_mode(bool enabled)
 {
-       if (!EVP_set_default_properties(NULL, enabled ? "fips=yes" : "fips=no")) {
-               fr_tls_log(NULL, "Failed %s OpenSSL FIPS mode", enabled ? "enabling" : "disabling");
+       if (enabled) return 0;  /* don't change the FIPS mode */
+
+       if (!EVP_set_default_properties(NULL, "-fips")) {
+               fr_tls_log(NULL, "Failed disabling OpenSSL FIPS mode");
                return -1;
        }