No, you are not FIPS compliant at the server just because your clients are using FIPS compliant crypto modules and security functions. In this case, the client will be using RSA+3TDES in EDE/CBC mode with SHA-1 HMAC, because this is the only available cipher suite on XP that is FIPS compliant (supposedly!). TLS will allow this to be negotiated as a common cipher suite between client and server. Your server, in its current configuration, would allow non-approved security functions to be used.
Your server side process must use a certified crypto module and be in FIPS compliant enabled mode so that only FIPS approved security functions can be used. Carl ----- Original Message ----- From: Koripella Srinivas To: openssl-users@openssl.org Sent: Thursday, February 19, 2009 10:01 AM Subject: FIPS Server Hello all, I have a general query regarding FIPS mode. I am running an simple openssl https server based on openssl that services https requests from window clients. I have the following setting in my windows XP "Use FIPS comliant algorithms for encryption, hashing and signing set to 1" . Using IE on a windows xp client with the above setting i am able to communicate with a openssl command line https server. I dont have FIPS enabled on my opessl command line tool. Then how come i am able to handle requests from a windows machine which has the FIPS setting to 1. Now is it ok to say i am FIPS compliant on the server side becaause i am handling FIPS requests from clients? thanks in advance for your time. ------------------------------------------------------------------------------ Add more friends to your messenger and enjoy! Invite them now. ------------------------------------------------------------------------------ Download prohibited? No problem. CHAT from any browser, without download.
