samuel-lee-msft
commented
2 years ago LGTM - the only thing you might need to also look at is any patches in applications that depend on FIPS_mode.
I think the only current patch like this is openssh-7.7p1-fips-8.4p1-5.patch. OpenSSH either needs to read the FIPS config separately, or you need to export g_fips_mode_enabled from OpenSSL to OpenSSH to enable the patched logic.
Use the SCOSSL without setting OpenssL's FIPS mode on.
After the change, the test stage was normal, took around 4 hours 25 minutes, it took 5 hours before change.