On Tue, 6 Oct 2009, Trent, Michael wrote:
When setting openSSL FIPS mode (FIPS_mode_set(1)), the TLS handshaking reply seemed to be ignored on communications with the server.
...
We have not problem when FIPS is not turned on:
This so makes it sound and feel like the problem is in the OpenSSL FIPS module and not in libcurl. Why do you suspect libcurl at all in the first place?
Without FIPS turned on the client sends a TLS HELLO with a longer list of crypto strings which include non FIPS allowed strings, and the server picks a non FIPS allowed string and replies with that. In this case the TLS normal handshaking occurs and the client does not fail.
Right, as FIPS limits what cryptos that can be used.
Any idea? Does libcurl not support the stronger encryption of FIPS (AES encryption, and SHA digest)?
This is not a libcurl problem since as you say it works fine with OpenSSL without the FIPS stuff. The handshaking and the crypto layer stuff is all done by OpenSSL (or alternative lib).
-- / daniel.haxx.se ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
