OpenSSL config not loading

[Manish Patidar]

Hi 

We are using OpenSSL 3.5, and our application is linked with libcrypto and libssl. We have updated the config file so that only the base and FIPS providers are active. However, when our application fetches the algorithm, it is retrieved from the default provider instead of the FIPS provider.

When we list providers from the OpenSSL command, it only shows the base and FIPS providers.

Why is openssl.cnf not reflecting in our application?

Does the application need to specifically load the config file? 

How do other third parties that depend on OpenSSL load this config?

Should the application call OPENSSL_init_crypto with OPENSSL_INIT_LOAD_CONFIG?

Regards

Manish

[Viktor Dukhovni]

On Tue, Jan 27, 2026 at 02:29:57PM +0530, Manish Patidar wrote:

> We are using OpenSSL 3.5, and our application is linked with libcrypto
> and libssl.

Do you have more than one OpenSSL library installed on your system,
if this is a Unix-like system, please post the output of:

$ appfilename=...
$ ldd $appfilename | grep -E 'lib(ssl|crypto)'
$ ldd $(type -p openssl) | grep -E 'lib(ssl|crypto)'

assuming the dependencies are the same in both cases, also post the
output of:

$ openssl version -d -m

> We have updated the config file so that only the base and FIPS
> providers are active.

Which configuration file did you change, what are the relevant settings,
and how did you test that the FIPS and base providers are indeed the
only ones that are configured active?

Because in my case, I don't want FIPS on by default, in "openssl.cnf" I
have:

openssl_conf = openssl_init

# Adjust to match the output "openssl version -d":
# Or use an absolute path with ".include"
#
.pragma includedir:/opt/openssl/master/ssl
.include fipsmodule.cnf

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
fips = fips_sect

[default_sect]
# activate = 1

And in "fipsmodule.cnf", I similary have commented out:

# activate = 1

this means that the default provider is activated if no other
providers are explicitly activated, giving:

$ /opt/openssl/master/bin/openssl list -providers
Providers:
default
name: OpenSSL Default Provider
version: 4.0.0
status: active

$ /opt/openssl/master/bin/openssl list -provider base -provider fips -providers
Providers:
base
name: OpenSSL Base Provider
version: 4.0.0
status: active
fips
name: OpenSSL FIPS Provider
version: 4.0.0
status: active

In your case, perhaps you want "activate = 1" for the FIPS
and "base" providers.

> However, when our application fetches the algorithm, it is retrieved
> from the default provider instead of the FIPS provider.

Is the default provider also activated?

Does the application initialise the OpenSSL library implicitly or
explicitly by calling OPENSSL_init_crypt() or OPENSSL_init_ssl()?
If the latter, does it pass any non-default "opts" or "settings"?

> When we list providers from the OpenSSL command, it only shows the base and
> FIPS providers.

Please post the output.

> Why is openssl.cnf not reflecting in our application?

Trace it and see which "openssl.cnf" it loads, if any:

$ strace -e openat /opt/openssl/master/bin/openssl list -providers 2>&1 | grep '\.cnf'
openat(AT_FDCWD, "/opt/openssl/master/ssl/openssl.cnf", O_RDONLY) = 3
openat(AT_FDCWD, "/opt/openssl/master/ssl/fipsmodule.cnf", O_RDONLY) = 4

> Does the application need to specifically load the config file?

Not if it is doing implicit initialisation, but otherwise depends on
what it is doing.

> How do other third parties that depend on OpenSSL load this config?

It is loaded by default in most applications, but e.g. Postfix
specifically avoids loading the systemwide configuration unless
explicitly configured by the email administrator.

> Should the application call OPENSSL_init_crypto with
> OPENSSL_INIT_LOAD_CONFIG?

Not generally necessary, if initialisation is implicit.

--
Viktor. 🇺🇦 Слава Україні!