On Tue Jan 16 08:50:08 2018, ondrej wrote:
> So, here's an idea.
> 
> Instead of exiting on start, when MD5 can't be used, the flag would be
> set, and the code that is currently wrapped inside PK11_MD5_DISABLE
> would be changed to use this flag.
> 
> The change would be still massive, but no API would be changed and
> henceforth:

=> It does not fit well in the architecture because it supposed a new
global state and:
 1- there is an embargo about new features and this is one

 2- it is in strong opposition with the idea of FIPS mode: when you
  are in FIPS mode you want a strong guarantee only the FIPS approved
  crypto can be used. This is why from the beginning FIPS support
  was associated with disabling MD5 at build time.

> a) BIND would be able to run on FIPS-only enabled systems without MD5

=> it is but I disagree about your interpretation of why people set
the FIPS mode.

> b) The change would be backportable to maintenance releases (as no
> change in API)

=> current change will merged as soon as someone confirms me
there is no code freeze... (so I give the ticket to Evan).

BTW I'd like to resume the old FIPS mode ticket. It assumes
OpenSSL FIPS module when now you have RedHat & co too
so if the API is common FIPS mode management must be
more flexible. And of course we no longer need to wait
for a formal request for it as it is available in at least 3
different Linuxes without the incredible burden to build
the OpenSSL FIPS module...