I'm not going to comment on David's assertion's or anything about wpa_supplicants, but lets take a step back:
SSL is NOT allowed in FIPS 140-2 compliant modes; TLS 1.0 IS allowed in FIPS 140-2 when using FIPS-approved security functions (see the FIPS 140-2 implementation guide). TLS 1.0 is sometimes referred to as SSL 3.1, but stick to TLS nomenclature - safer! TLS 1.0 DOES use MD5 and SHA-1 in combination, and - despite MD5 not being allowed by the FIPS 140-2 standard - it is allowed in this case because the combined 'strength" of the two, when used in unison, is not less than SHA-1 itself. I can't remember the technical explanation, but its around somewhere. I would suspect (not know) that OpenSSL uses the MD5 code directly in TLS rather than through the EVP interface, as it should fail using this code path if FIPS is enabled. If you use OpenSSL in FIPS-enabled mode, you will only be allowed to use TLS and FIPS-allowed cipher suites - that's all you need to know most of the time. Carl > On Tue 21/07/09 1:06 PM , Michael Kurecka wpi.open...@gmail.com sent: > Thank you David for your bluntness. Trust me, I'm aware of how significant > making > wpa_supplicant FIPSable is. I've been working on it for several months. Over > the past few > months I've been in the process of removing non-compliant code, updating MD5 > to SHA-1, > etc. I'm close for the AP side with hostapd and have pulled out a lot from > wpa_supplicant > until this latest issue I seemed to be doing OK. You mentioned that SSL v3 > uses MD5 but I > read that was the difference between v2 and v3 is that v3 went to SHA-1. Does > v3 have a > mixture of the two? What determines which SSL version is used? Is it the CTX > object, a > configuration setting, etc.? I've tried tracing the code on the OpenSSL side > but it has me > baffled even with a stack trace I'm having trouble understanding its path. I > would appreciate > any help you can give on the issue. On Mon, Jul 20, 2009 at 10:03 PM, David Schwartz <dav...@webmaster.com> wrote: Michael Kurecka: > How do I disable SSLv3 so that I can use FIPS? Sorry to be blunt, but you don't. A FIPS wpa_supplicant is a significant task, you can't just flip a few switches and make one appear. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
