Hi there,
I am hoping to get some guidance on enabling openssl fips mode for nginx.
So far I followed the openssl guide for enabling fips mode on the openssl.
That part works well:
# /usr/local/openssl/bin/openssl md5 /usr/local/openssl/bin/openssl
Error setting digest md5
139805371958952:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:

# cat /proc/sys/crypto/fips_enabled
1

For nginx I first tried to build nginx using this custom openssl (installed in /usr/local/openssl/):
/nginx-1.12.2/configure --with-http_ssl_module --with-openssl=/usr/local/openssl --with-ld-opt="-L/usr/local/openssl/lib"
This failed however since the /usr/local/openssl is the installed/binary location of custom openssl, not the source tree where I built custom openssl.

So I changed --with-openssl option to use openssl source tree as:
/nginx-1.12.2/configure --with-http_ssl_module --with-openssl=/usr/local/src/openssl-1.0.2n/ --with-ld-opt="-L/usr/local/openssl/lib"

This works and I am able to build and install nginx but I am not sure if proper openssl compile options to support fips mode
are passed during nginx configure.

When I print compile options:
nginx -V:
nginx version: nginx/1.12.2
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC)
built with OpenSSL 1.0.2n 7 Dec 2017

Yet the custom openssl is:
/usr/local/openssl/bin/openssl version
OpenSSL 1.0.2n-fips 7 Dec 2017

System's own openssl is still intact:
# /usr/bin/openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013


Do I need to be passing openssl compile option to enable fips support while configuring nginx?

Per "Configurable FIPS mode" thread (https://forum.nginx.org/read.php?10,257298,257298)
"Currently we solve this by compiling nginx ourselves after adding FIPS_mode_set(1) after the SSL library initialization code in systems where we require it."

Can someone let me know where and how to set FIPS_mode_set flag to Nginx will be using FIPS mode?

I searched for that setting and found one binary obj file under nginx:
nginx-1.12.2/objs/nginx

and a header file under openssl source directories:
openssl-1.0.2n/.openssl/include/openssl/crypto.h

(openssl was build using:
./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared fips)

Thanks in advance.

Update: Inspecting the output from make command, looks like src/openssl/Makefile is being replaced by one build by Nginx make:
/usr/local/src/nginx-1.12.2# make
.....
.....
cd /usr/local/src/openssl-1.0.2n/ \
&& if [ -f Makefile ]; then make clean; fi \
&& ./config --prefix=/usr/local/src/openssl-1.0.2n/.openssl no-shared \
&& make \
&& make install_sw LIBDIR=lib
....
....
So options I had in the original src/openssl-1.0.2n/Makefile, including FIPS mode options, are being deleted while building Nginx.
At this point I am not sure how to pass FIPS options to Nginx build nor make Nginx use already installed fips capable custom openssl I installed.

Any comments or suggestions?
Thanks again...