Michael Kurecka wrote: > Thank you David for your bluntness. Trust me, I'm aware of how > significant making wpa_supplicant FIPSable is. I've been working > on it for several months. Over the past few months I've been in > the process of removing non-compliant code, updating MD5 to SHA-1, > etc. I'm close for the AP side with hostapd and have pulled out a > lot from wpa_supplicant until this latest issue I seemed to be > doing OK.
Sorry, I didn't know that. > You mentioned that SSL v3 uses MD5 but I read that was the > difference between v2 and v3 is that v3 went to SHA-1. Does v3 > have a mixture of the two? Yes. TLS does as well, however, TLS does not rely on MD5 for any of its security properties, so it's allowed. You actually can use MD5 in a FIPS-compliant application so long as you don't derive any of your security properties from it. (If you think about it, XOR is not a good encryption algorithm, but it'd be awfully hard to write *any* application without using XOR for anything, ever.) > What determines which SSL version is used? Is it the CTX object, > a configuration setting, etc.? I've tried tracing the code on > the OpenSSL side but it has me baffled even with a stack trace > I'm having trouble understanding its path. I would appreciate > any help you can give on the issue. It's controlled by three things, but the one that's probably important for you is what '*_method' function you call to pass to SSL_CTX_new. You want one of the TLS*_method calls. You probably have one of the SSLv*_method calls now. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
