From: Alan T. DeKok <aland@freeradius.org>
Date: Mon, 11 Aug 2025 15:00:29 +0000 (-0400)
Subject: change "fips=no" to "-fips"
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4340edae652b086078e8000a91899c3c73bd4e2b;p=thirdparty%2Ffreeradius-server.git

change "fips=no" to "-fips"

based on discussions with the OpenSSL developers in

https://github.com/FreeRADIUS/freeradius-server/issues/5631

and

https://docs.openssl.org/3.5/man7/property/#global-and-local
---

diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index a9523b7ad59..48f89f68fab 100644
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -569,9 +569,19 @@ security {
 @openssl_version_check_config@
 
 	#
-	#  openssl_fips_mode:: Enable OpenSSL FIPS mode.
+	#  openssl_fips_mode:: Disable OpenSSL FIPS mode.
 	#
-	#  This disables non-FIPS compliant digests and algorithms
+	#  Setting this to "yes" means "use whatever FIPS mode is
+	#  available on the system".
+	#
+	#  Setting this to "no" means "disable FIPS mode just for
+	#  FreeRADIUS".
+	#
+	#  FreeRADIUS MUST disable FIPS mode in order to use MD4 and
+	#  MD5 from the OpenSSL APIs.
+	#
+	#  This setting should only be used then the system as a whole
+	#  enables FIPS, and you still want to use RADIUS.
 	#
 #	openssl_fips_mode = no
 }
diff --git a/src/lib/tls/base.c b/src/lib/tls/base.c
index db8168a2bd9..447e54af73c 100644
--- a/src/lib/tls/base.c
+++ b/src/lib/tls/base.c
@@ -546,8 +546,10 @@ int fr_openssl_init(void)
  */
 int fr_openssl_fips_mode(bool enabled)
 {
-	if (!EVP_set_default_properties(NULL, enabled ? "fips=yes" : "fips=no")) {
-		fr_tls_log(NULL, "Failed %s OpenSSL FIPS mode", enabled ? "enabling" : "disabling");
+	if (enabled) return 0;	/* don't change the FIPS mode */
+
+	if (!EVP_set_default_properties(NULL, "-fips")) {
+		fr_tls_log(NULL, "Failed disabling OpenSSL FIPS mode");
 		return -1;
 	}