Thanks, that did it!
To try to understand the implications of this, if I add SSL_FIPS
to TLS1_TXT_PSK_WITH_AES_128_CBC_SHA and TLS1_TXT_PSK_WITH_AES_256_CBC_SHA,
am I violating the security policy? AES 128/256 CBC and SHA are approved
algorithms(?).
Best regards,
Fredrik
On Mon, Nov 4, 2013 at 2:31 PM, Dr. Stephen Henson <st...@openssl.org>wrote:
> On Mon, Nov 04, 2013, Fredrik Jansson wrote:
>
> > Steve, thanks for getting back!
> >
> > Since I could not reproduce this using s_client and s_server I set out to
> > take the code I am using into a sample project.
> >
> > Doing so I believe I have found the issue, SSL_CTX_set_cipher(ctx,
> > SSL_TXT_PSK) returns an error ("SSL routines:SSL_CTX_set_cipher_list:no
> > cipher match") if I have called FIPS_mode_set(1) first.
> >
> > My original code did not check the return value of SSL_CTX_set_cipher so
> > that may very well be the cause of the subsequent crash.
> >
> > Now my question becomes why I cannot select SSL_TXT_PSK when in FIPS
> mode?
> >
>
> The ciphersuites supported in FIPS mode are restricted to those which use
> approved algorithms. PSK at present is not listed though there isn't really
> any reason why it can't be included in future.
>
> To test this add the flag SSL_FIPS to the relevant ciphersuits in s3_lib.c
>
> Steve.
> --
> Dr Stephen N. Henson. OpenSSL project core developer.
> Commercial tech support now available see: http://www.openssl.org
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
