OpenSSL also looks up the value of B<config_diagnostics>.
If this exists and has a nonzero numeric value, any error suppressing flags
passed to CONF_modules_load() will be ignored.
-This is useful for diagnosing misconfigurations and should not be used in
-production.
-
- # This must be in the default section
+This is useful for diagnosing misconfigurations but its use in
+production requires additional consideration. With this option enabled,
+a configuration error will completely prevent access to a service.
+Without this option and in the presence of a configuration error, access
+will be allowed but the desired configuration will B<not> be used.
+
+ # These must be in the default section
+ config_diagnostics = 1
openssl_conf = openssl_init
[openssl_init]
install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C
install-status = INSTALL_SELF_TEST_KATS_RUN
+=head1 NOTES
+
+When using the FIPS provider, it is recommended that the
+B<config_diagnostics> option is enabled to prevent accidental use of
+non-FIPS validated algorithms via broken or mistaken configuration.
+See L<config(5)>.
+
=head1 SEE ALSO
L<config(5)>
Edit the config file to add the following lines near the beginning:
+ config_diagnostics = 1
openssl_conf = openssl_init
.include /usr/local/ssl/fipsmodule.cnf
FIPS module config file that you installed earlier.
See L<https://github.com/openssl/openssl/blob/master/README-FIPS.md>.
+For FIPS usage, it is recommened that the B<config_diagnostics> option is
+enabled to prevent accidental use of non-FIPS validated algorithms via broken
+or mistaken configuration. See L<config(5)>.
+
Any applications that use OpenSSL 3.0 and are started after these changes are
made will start using only the FIPS module unless those applications take
explicit steps to avoid this default behaviour. Note that this configuration
does not load the "base" provider. All supporting algorithms that are in "base"
are also in "default", so it is unnecessary in this case:
+ config_diagnostics = 1
openssl_conf = openssl_init
.include /usr/local/ssl/fipsmodule.cnf
For example, let's say we have the following config example:
+ config_diagnostics = 1
openssl_conf = openssl_init
[openssl_init]