]> git.ipfire.org Git - thirdparty/freeradius-server.git/commitdiff
projects / thirdparty / freeradius-server.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0ad5e23)
Revert "change "fips=no" to "-fips""
authorAlan T. DeKok <aland@freeradius.org>
Tue, 12 Aug 2025 16:52:49 +0000 (12:52 -0400)
committerAlan T. DeKok <aland@freeradius.org>
Tue, 12 Aug 2025 16:52:49 +0000 (12:52 -0400)
This reverts commit 4340edae652b086078e8000a91899c3c73bd4e2b.

raddb/radiusd.conf.in patch | blob | blame | history
src/lib/tls/base.c patch | blob | blame | history

diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index 48f89f68fab0f2d710e6e5d11974c74f94bc82c3..a9523b7ad597d6893aecb0475bcf69f7d053984d 100644 (file)
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -569,19 +569,9 @@ security {
 @openssl_version_check_config@
 
        #
-       #  openssl_fips_mode:: Disable OpenSSL FIPS mode.
+       #  openssl_fips_mode:: Enable OpenSSL FIPS mode.
        #
-       #  Setting this to "yes" means "use whatever FIPS mode is
-       #  available on the system".
-       #
-       #  Setting this to "no" means "disable FIPS mode just for
-       #  FreeRADIUS".
-       #
-       #  FreeRADIUS MUST disable FIPS mode in order to use MD4 and
-       #  MD5 from the OpenSSL APIs.
-       #
-       #  This setting should only be used then the system as a whole
-       #  enables FIPS, and you still want to use RADIUS.
+       #  This disables non-FIPS compliant digests and algorithms
        #
 #      openssl_fips_mode = no
 }
diff --git a/src/lib/tls/base.c b/src/lib/tls/base.c
index 447e54af73c09243d8f097445e3825f126bbae52..db8168a2bd97e71fe506ed2868772f3ab4d8abd4 100644 (file)
--- a/src/lib/tls/base.c
+++ b/src/lib/tls/base.c
@@ -546,10 +546,8 @@ int fr_openssl_init(void)
  */
 int fr_openssl_fips_mode(bool enabled)
 {
-       if (enabled) return 0;  /* don't change the FIPS mode */
-
-       if (!EVP_set_default_properties(NULL, "-fips")) {
-               fr_tls_log(NULL, "Failed disabling OpenSSL FIPS mode");
+       if (!EVP_set_default_properties(NULL, enabled ? "fips=yes" : "fips=no")) {
+               fr_tls_log(NULL, "Failed %s OpenSSL FIPS mode", enabled ? "enabling" : "disabling");
                return -1;
        }
 
Mirror of https://github.com/FreeRADIUS/freeradius-server.git