> Am 21.05.2021 um 17:59 schrieb Joe Orton <jor...@redhat.com>:
>
> On Wed, May 12, 2021 at 02:25:42PM +0200, pgajdos wrote:
>> Hello,
>>
>> I have a question regarding the logic around SSLFIPS on/off. After
>> https://svn.apache.org/viewvc?view=revision&revision=1853197
>> I think SSLFIPS off will not work as expected.
> ...
>> In case sc->fips is FALSE (SSLFIPS off or not set), the
>> FIPS_mode_set() is not called at all and the fips mode is untouched.
>> If I understand correctly, it can be ON as it is on my system when a
>> binary starts up.
>
> Agreed.
>
>> Question also is, whether the FIPS mode should not stand untouched
>> when SSLFIPS is not specified at all (not intend to turning it off).
>> Perhaps even more basic concern, what is actually the purpose
>> (usecase) or SSLFIPS directive? In other words, in case you have a
>> FIPS system, why you would like to disable it in httpd?
>
> It looks to me like "SSLFIPS off" has never worked even before r1853197.
> I assume the use case was the opposite - turning on FIPS on a system
> without it enabled globally. (AFAIK my users/customers only care about
> systems where FIPS is a OS-level setting so I don't care about that use
> case either)
>
> It also looks like OpenSSL 3.0 will be removing the functions entirely:
> https://wiki.openssl.org/index.php/OpenSSL_3.0#Upgrading_from_the_OpenSSL_2.0_FIPS_Object_Module
>
> though I've only built against alpha16 so far and FIPS*() are still
> there.
>
> My preference would be to remove SSLFIPS from trunk mod_ssl completely.
+1