David Schwartz wrote:
Is this correct for openssl 0.9.8 using FIPS?test SSL protocol test ssl3 is forbidden in FIPS mode *** IN FIPS MODE *** Available compression methods: 1: zlib compression SSLv3, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA 1 handshakes of 256 bytes done gmake[1]: *** [test_ssl] Error 1 gmake[1]: Leaving directory `/usr/source/openssl-0.9.8-stable-SNAP-20080918-fips/test' gmake: *** [tests] Error 2If your question is whether SSLv3 should be prohibited in FIPS mode, the answer is yes. SSLv3's use of MD5 is not acceptable under FIPS rules.
And for more details as to the reasons that SSLv3 is not allowed yet TLSv1 is see the implementation guidance at:
http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdfThe details are contained in section 7.1 and specifically refer to footnote 13 which contains:
<quote>The problem with SSL 3.0 is the key derivation process that applies to all SSL 3.0 cipher suites: half of the master key that is set up during the SSL key exchange depends entirely on the MD5 hash function. MD5 is not a FIPS approved algorithm, and its collision resistance property has recently been broken by Antoine Joux.
TLS also uses MD5 in the key derivation process, but in a different manner, so that all of the master key depends on both MD5 and SHA-1, and nothing in TLS actually depends on MD5 for its security.
Therefore, TLS implementations can be validated under FIPS 140-2, while SSL 3.0 implementations cannot. TLS is version 3.1 of SSL, and most current servers and clients are capable of doing both SSL 3.0 and TLS.
William Burr, NIST Security Technology Group </quote>The OpenSSL FIPS Object Module implements technical measures to assist the user in operating the module in a correct (valid) manner.
Tim.
PGP.sig
Description: PGP signature
