On Mon, May 16, 2011, Henrik Grindal Bakken wrote: > > Hi. I'm trying to test the current CVS HEAD with > FIPS_set_module_mode(1). > > It's looking fairly promising to me, but I currently have one problem: > While performing an SSL handshake, I get > 1208113320:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled > for fips:fips_md.c:179: >
The rest of OpenSSL cannnot currently use the FIPS module correctly in all cases. You'll get quite a few problems like this. For now only the things in README.FIPS will work. > This sounded a bit weird to me, since I've tried my best to set up my > application to use only FIPS-validated algorithms, but to no avail. I > added some debugging printouts to my libcrypto, and from what I could > understand, the digest in question is MD5. When I patched openssl to > say MD5 was a FIPS-approved digest, it worked. > > The program I'm using is attached, and also output from a separate > 'openssl s_client -connect -showcerts'. > > Does anyone have any ideas as to why MD5 appears in this handshake? > MD5 is a mandatory algorithm for TLS 1.1 and 1.0. As a result the use of MD5 is permitted solely for use in TLS in FIPS mode. Handling this requires some exception code in the ssl library which isn't currently in place for HEAD. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
