To use System SSL in FIPS mode, application changes are required. By default, all applications that use System SSL execute in non-FIPS mode. The application must request that System SSL execute in FIPS mode in the very early stages of interaction with the System SSL API. The application does this by invoking the function gsk_fips_state_set() (see gsk_fips_state_set()). To set FIPS mode, gsk_fips_state_set() must be executed before all other System SSL functions except for gsk_get_cms_vector(), gsk_get_ssl_vector() and gsk_fips_state_query(). It is possible to switch to non-FIPS mode later. It is not possible to switch from non-FIPS mode to FIPS mode at any time.

The FIPS mode setting applies to the entire process. Once set, then all threads of the same process execute in FIPS mode. If any thread switches to non-FIPS mode, then all threads in the same process execute in non-FIPS mode.

When executing in FIPS mode and a severe cryptographic problem is encountered, one of the following return codes is returned from the API executing at the time of failure. These return codes should be treated as severe and the application should be terminated and restarted. If execution continues, all APIs except for gsk_get_cms_vector(), gsk_get_ssl_vector(), gsk_fips_state_query(), gsk_query_crypto_level(), and gsk_strerror() fails.

The sample files (see Sample C++ SSL files) client.cpp and server.cpp demonstrate the use of gsk_fips_state_set() to set the application to run in FIPS mode. In both cases, the gsk_fips_state_set() function is invoked before any other System SSL function.