Reference

OpenSSL FIPS provider on Windows — overview

OpenSSL 3.x uses a provider model that includes a FIPS provider for FIPS 140 compliance. This page covers what it is, validation caveats, how to check if it is available, and high-level configuration notes for Windows.

This is an informational overview only. FIPS compliance is a complex legal and technical matter. Consult the official CMVP listings and a qualified cryptographer for production requirements.
Background

What is the FIPS provider?

OpenSSL 3.x replaces the legacy FIPS_mode_set() API with a provider model. The FIPS provider is a separate loadable module (fips.dll on Windows) that exposes algorithms eligible for FIPS 140 compliance.

  • FIPS mode is off by default. You must explicitly configure OpenSSL to load the FIPS provider.
  • The FIPS provider must be present in your build — not all prebuilt Windows installers include it.
  • Code written for OpenSSL 1.x FIPS mode (FIPS_mode_set(1)) must be rewritten for the 3.x provider API.
Important

Validation caveats

Enabling a FIPS provider is not the same as having a validated FIPS solution. Validation is specific to a particular module build, OS version, architecture, toolchain, and cryptographic boundary.
  • Module version matters — the CMVP certificate covers a specific build. A recompile invalidates it.
  • Check the CMVP database — verify the specific build you are using has a current, active certificate at csrc.nist.gov/projects/cryptographic-module-validation-program.
  • Apps must restrict algorithms — using the FIPS provider is necessary but not sufficient. Your application must also disable non-approved algorithms.
  • Third-party builds may not be validated — the Shining Light Productions prebuilt may or may not carry FIPS validation. Check with the vendor.
How to check

Check FIPS provider availability

cmd.exe
# List all loaded providers:
C:\> openssl list -providers
Providers:
default
name: OpenSSL Default Provider
status: active
# Check specifically for fips provider:
C:\> openssl list -providers -provider fips
# Full build info for audit logs:
C:\> openssl version -a
OpenSSL 4.0.0 6 Jun 2025
platform: VC-WIN64A

If fips is not listed, your build does not ship a FIPS module. You need a build that explicitly includes FIPS support for Windows x64.

Configuration

High-level setup steps

These are reference steps only. Consult the official OpenSSL documentation for your specific version before modifying production environments.

  • Obtain a vendor build that includes fips.dll for Windows x64 and your target OS.
  • Run openssl fipsinstall to generate the integrity-check configuration file for the FIPS module.
  • Create a dedicated openssl.cnf that loads the fips provider and sets it as the default for your application context.
  • Restrict your app to approved algorithms only — disable legacy providers in the config.
  • Record module versions, SHA256 hashes, and config files as compliance evidence.
Always test FIPS configuration in a non-production environment first. Applications may fail or behave unexpectedly when non-approved algorithms they rely on are restricted.
Resources

Start with a clean install

Download and verify the Win64 installer before configuring FIPS.

Win64 Prebuilt →

Related guides

Win64 Prebuilt →
download
Verify Hashes →
integrity check
OpenSSL 3 vs 1.1 →
provider model changes