Check for FIPS mode after loading config.

PR#3958

Reviewed-by: Rich Salz <rsalz@openssl.org>

diff --git a/apps/pkcs12.c b/apps/pkcs12.c
index 4ff64495a956cc2106ec1009316dd21327cab027..e41b445a50b0520c057421fa412f3c6cae23a7ba 100644 (file)
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -134,13 +134,6 @@ int MAIN(int argc, char **argv)
 
     apps_startup();
 
-# ifdef OPENSSL_FIPS
-    if (FIPS_mode())
-        cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
-    else
-# endif
-        cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
-
     enc = EVP_des_ede3_cbc();
     if (bio_err == NULL)
         bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
@@ -148,6 +141,13 @@ int MAIN(int argc, char **argv)
     if (!load_config(bio_err, NULL))
         goto end;
 
+# ifdef OPENSSL_FIPS
+    if (FIPS_mode())
+        cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
+    else
+# endif
+        cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC;
+
     args = argv + 1;
 
     while (*args) {