CHANGES: document the FIPS provider configuration and installation

Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13684)
2025-04-18 20:40:45 +08:00 · 2021-04-26 02:19:35 +02:00 · 2021-04-26 02:19:35 +02:00 · 3b9e47695f
commit 3b9e47695f
parent f2ea01d9f1
1 changed files with 16 additions and 0 deletions
--- a/CHANGES.md
+++ b/CHANGES.md
@ -23,6 +23,22 @@ OpenSSL 3.0

 ### Changes between 1.1.1 and 3.0 [xx XXX xxxx]

+ * OpenSSL includes a cryptographic module that is intended to be FIPS 140-2
+   validated. The module is implemented as an OpenSSL provider, the so-called
+   FIPS provider. A list of all changes related to the FIPS provider would go
+   beyond the scope of this CHANGES file, please consult the README-FIPS and
+   README-PROVIDERS files, as well as the migration guide.
+
+   The FIPS provider is disabled by default and needs to be enabled explicitly
+   at configuration time using the `enable-fips` option. If it is enabled,
+   the FIPS provider gets built and installed in addition to the default and
+   the legacy provider. No separate installation procedure is necessary.
+   There is however a dedicated `install_fips` make target, which serves the
+   special purpose of installing only the FIPS provider into an existing
+   OpenSSL installation.
+
+   *OpenSSL team members and many third party contributors*
+
 * For the key types DH and DHX the allowed settable parameters are now different.
   Previously (in 1.1.1) these conflicting parameters were allowed, but will now
   result in errors. See EVP_PKEY-DH(7) for further details. This affects the