OpenSSL Communities

Bringing back FIPS_mode() define

Dmitry BelyavskyDmitry Belyavsky Wed 11 Mar 2026 8:35AMPublicSeen by 31

@Dimitri John Ledkov (Chainguard) has raised a PR to bring back the FIPS_mode() define that used to exist in OpenSSL before 3.0.

https://github.com/openssl/openssl/pull/30339

The FIPS_mode() symbol is present in various popular distros added there as downstream patch and in OpenSSL forks. The semantics is not as well defined, but it may be a good hint that applications shouldn't use the non-FIPS-approved algorithms.

Dmitry Belyavsky

Do you support reinstantiation of this macro?

poll by Dmitry Belyavsky Closed Fri 20 Mar 2026 8:00AM

Results

ResultsOption% of pointsVoters
Yes, in 4.0887Pedro MonrealDmitry BelyavskyLucas MüllingTobias HeiderŁukasz 'sil2100' ZemczakDimitri John Ledkov (Chainguard)Steffen Land
Yes, in 4.x series131Simon John
No00 
Undecided34Tomas MrazAngel YankovHana Andersen Election CommitteeAlanJon EricsonBrian "bex" ExelbierdAnton ArapovXin LiKlaus TriendlJohn BaldwinYi OuyangPierre SchmitzKurt RoeckxPal Lakatos-TothGordon TetlowMartin BolekMatěj CeplAlexander BokovoyTomas Vavra

8 of 42 votes cast (19% participation)

Simon John

Simon JohnWed 11 Mar 2026 8:37AM

Yes, in 4.x series

RHEL-alike distro's that have gone through FIPS 140-3 validation like AlmaLinux are already defining this macro this via patches for some level of backwards compatibility.

It must be highlighted that its only a hint that FIPS mode is enabled and testing for successful loading of the provider (passing self-tests etc.) should be handled by the user, just like FIPS indicators. And perhaps that it should only be used for backwards-compatibility and not new code?