Thanks, that did it! To try to understand the implications of this, if I add SSL_FIPS to TLS1_TXT_PSK_WITH_AES_128_CBC_SHA and TLS1_TXT_PSK_WITH_AES_256_CBC_SHA, am I violating the security policy? AES 128/256 CBC and SHA are approved algorithms(?).
Best regards, Fredrik On Mon, Nov 4, 2013 at 2:31 PM, Dr. Stephen Henson <st...@openssl.org>wrote: > On Mon, Nov 04, 2013, Fredrik Jansson wrote: > > > Steve, thanks for getting back! > > > > Since I could not reproduce this using s_client and s_server I set out to > > take the code I am using into a sample project. > > > > Doing so I believe I have found the issue, SSL_CTX_set_cipher(ctx, > > SSL_TXT_PSK) returns an error ("SSL routines:SSL_CTX_set_cipher_list:no > > cipher match") if I have called FIPS_mode_set(1) first. > > > > My original code did not check the return value of SSL_CTX_set_cipher so > > that may very well be the cause of the subsequent crash. > > > > Now my question becomes why I cannot select SSL_TXT_PSK when in FIPS > mode? > > > > The ciphersuites supported in FIPS mode are restricted to those which use > approved algorithms. PSK at present is not listed though there isn't really > any reason why it can't be included in future. > > To test this add the flag SSL_FIPS to the relevant ciphersuits in s3_lib.c > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >