From 5540855bda5e58f4b33f2306feb6ff4e93c0af81 Mon Sep 17 00:00:00 2001
From: Pauli <pauli@openssl.org>
Date: Thu, 29 Jul 2021 11:39:01 +1000
Subject: doc: document that config_diagnostics is sensible but involves risk

Also:

- add this option to the sample configurations in the documentation.
- note that it is a sensible choice when using FIPS via config

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/16172)
---
 doc/man7/fips_module.pod   | 6 ++++++
 doc/man7/provider-base.pod | 1 +
 2 files changed, 7 insertions(+)

(limited to 'doc/man7')

diff --git a/doc/man7/fips_module.pod b/doc/man7/fips_module.pod
index 1d709be513..b47ed279f6 100644
--- a/doc/man7/fips_module.pod
+++ b/doc/man7/fips_module.pod
@@ -73,6 +73,7 @@ F</usr/local/ssl/openssl.cnf>.
 
 Edit the config file to add the following lines near the beginning:
 
+    config_diagnostics = 1
     openssl_conf = openssl_init
 
     .include /usr/local/ssl/fipsmodule.cnf
@@ -91,6 +92,10 @@ Obviously the include file location above should match the path and name of the
 FIPS module config file that you installed earlier.
 See L<https://github.com/openssl/openssl/blob/master/README-FIPS.md>.
 
+For FIPS usage, it is recommened that the B<config_diagnostics> option is
+enabled to prevent accidental use of non-FIPS validated algorithms via broken
+or mistaken configuration.  See L<config(5)>.
+
 Any applications that use OpenSSL 3.0 and are started after these changes are
 made will start using only the FIPS module unless those applications take
 explicit steps to avoid this default behaviour. Note that this configuration
@@ -273,6 +278,7 @@ sets the default property value to be C<fips=yes>. Note that this config file
 does not load the "base" provider. All supporting algorithms that are in "base"
 are also in "default", so it is unnecessary in this case:
 
+    config_diagnostics = 1
     openssl_conf = openssl_init
 
     .include /usr/local/ssl/fipsmodule.cnf
diff --git a/doc/man7/provider-base.pod b/doc/man7/provider-base.pod
index f1d9f3cce3..92c167638b 100644
--- a/doc/man7/provider-base.pod
+++ b/doc/man7/provider-base.pod
@@ -475,6 +475,7 @@ config command name separated by periods.
 
 For example, let's say we have the following config example:
 
+ config_diagnostics = 1
  openssl_conf = openssl_init
 
  [openssl_init]
-- 
cgit v1.2.3