From: Alan T. DeKok <aland@freeradius.org>
Date: Tue, 12 Aug 2025 16:52:49 +0000 (-0400)
Subject: Revert "change "fips=no" to "-fips""
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d64fcb36a5d357083bbd2258b35f8cfc7581f305;p=thirdparty%2Ffreeradius-server.git

Revert "change "fips=no" to "-fips""

This reverts commit 4340edae652b086078e8000a91899c3c73bd4e2b.
---

diff --git a/raddb/radiusd.conf.in b/raddb/radiusd.conf.in
index 48f89f68fab..a9523b7ad59 100644
--- a/raddb/radiusd.conf.in
+++ b/raddb/radiusd.conf.in
@@ -569,19 +569,9 @@ security {
 @openssl_version_check_config@
 
 	#
-	#  openssl_fips_mode:: Disable OpenSSL FIPS mode.
+	#  openssl_fips_mode:: Enable OpenSSL FIPS mode.
 	#
-	#  Setting this to "yes" means "use whatever FIPS mode is
-	#  available on the system".
-	#
-	#  Setting this to "no" means "disable FIPS mode just for
-	#  FreeRADIUS".
-	#
-	#  FreeRADIUS MUST disable FIPS mode in order to use MD4 and
-	#  MD5 from the OpenSSL APIs.
-	#
-	#  This setting should only be used then the system as a whole
-	#  enables FIPS, and you still want to use RADIUS.
+	#  This disables non-FIPS compliant digests and algorithms
 	#
 #	openssl_fips_mode = no
 }
diff --git a/src/lib/tls/base.c b/src/lib/tls/base.c
index 447e54af73c..db8168a2bd9 100644
--- a/src/lib/tls/base.c
+++ b/src/lib/tls/base.c
@@ -546,10 +546,8 @@ int fr_openssl_init(void)
  */
 int fr_openssl_fips_mode(bool enabled)
 {
-	if (enabled) return 0;	/* don't change the FIPS mode */
-
-	if (!EVP_set_default_properties(NULL, "-fips")) {
-		fr_tls_log(NULL, "Failed disabling OpenSSL FIPS mode");
+	if (!EVP_set_default_properties(NULL, enabled ? "fips=yes" : "fips=no")) {
+		fr_tls_log(NULL, "Failed %s OpenSSL FIPS mode", enabled ? "enabling" : "disabling");
 		return -1;
 	}