Is OpenSSL FIPS mode enabled by default?

No. OpenSSL 3.x uses providers. The FIPS provider is separate and must be explicitly configured. Using OpenSSL does not automatically enable FIPS mode.

Does enabling the FIPS provider make my app FIPS 140 validated?

Not by itself. Validation depends on the exact module version, platform, build, and the defined cryptographic boundary. Consult the official validation listings and documentation.

How can I tell if the FIPS provider is available?

Run 'openssl list -providers' and look for a 'fips' entry. If it is absent, your build likely does not include the FIPS module from a validated source.

Where do I find authoritative FIPS information?

Refer to the OpenSSL project's official documentation and the NIST CMVP listings. Vendor-specific builds may have different status or requirements.

Home › FIPS Notes

OpenSSL FIPS on Windows — Overview

What FIPS means in OpenSSL 3.x, how providers work, when validation applies, and safe next steps on Windows.

Get Win64 Installer Verify Hashes Download Installer (Win64)

TL;DR: OpenSSL 3.x introduces a FIPS provider. It is not enabled by default, and enabling it does not automatically make your system “FIPS validated.” Validation depends on the exact module, version, platform, and deployment. Always confirm with official documentation.

What is the FIPS provider?

OpenSSL 3.x uses a provider model. The FIPS provider exposes algorithms that are eligible for FIPS 140 compliance.
The provider lives as a separate module. Your build must include (or install) a FIPS‑capable module for your platform.
FIPS mode is off by default. You must configure OpenSSL to load the FIPS provider and restrict algorithms as required.

Validation and scope

Validation is specific: module version, OS, architecture, toolchain, and boundary all matter.
Turning on a FIPS provider is not the same as having a validated solution. You must consult official validation listings.
Applications may need to restrict non‑approved algorithms and enforce a locked configuration.

How to check availability

Open a terminal and run openssl list -providers.
Look for a provider named fips. If it’s missing, your build likely doesn’t ship a FIPS module.
Run openssl version -a to capture build details for audit logs.

If there’s no fips provider, contact your vendor or use a build that includes a validated FIPS module.

High‑level configuration notes

Use a vendor build that includes the FIPS module for your Windows version and x64 architecture.
Create a dedicated OpenSSL configuration that loads the fips provider and sets it as the default where required.
Lock configuration and ensure only approved algorithms are available to your application context.
Record versions, hashes, and configuration files for compliance evidence.

Authoritative resources

OpenSSL official documentation — Providers and FIPS: openssl.org/docs
OpenSSL FIPS overview page: openssl.org/docs/fips.html
Microsoft Visual C++ Redistributable (if needed): learn.microsoft.com

We are not affiliated with the OpenSSL project. Always cross‑check with official sources and your compliance team.

Download OpenSSL (Win64) Verify Hashes for the Installer Add OpenSSL to PATH (Windows) Fix libcrypto.dll / libssl.dll errors