To be perfectly clear, the server is not OpenSSL itself but application code that calls OpenSSL. The code is stable and in production and, as I said, works if I do *not* turn on FIPS on the client. I could trace through the calls if necessary.
Also, I will be out of the office all day Thursday so this is probably my last reply for ~36 hours. Thanks for your help. I really appreciate what you folks do. Charles -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills Sent: Wednesday, November 19, 2014 4:53 PM To: openssl-users@openssl.org Subject: RE: SSL alert number 51 - DHE is 1024 - RSA is 2048 Server certificate: Certificate: Data: Version: 3 (0x2) Serial Number: 13 (0xd) Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Charles Mills Consulting, LLC, ST=California, C=US/emailAddress=charles m...@mcn.org, O=Charles Mills Consulting, LLC Validity Not Before: Nov 19 17:06:26 2014 GMT Not After : Nov 19 17:06:26 2015 GMT Subject: CN=Charles Mills Consulting, LLC, ST=California, C=US/emailAddress=charle s...@mcn.org, O=X201NOTEBOOK_Server Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c2:31:37:47:60:74:b9:b7:f1:3e:31:40:d4:5b: 76:0b:a6:fb:d7:0d:75:87:3e:70:9b:1b:93:d2:a1: 0c:94:68:ba:ee:75:eb:28:28:de:16:25:32:d3:7a: 8c:4a:3f:39:1e:82:b6:5a:8a:89:75:cc:cc:77:87: af:8f:9c:c6:dc:b2:40:5c:8a:0a:74:3e:f1:f5:9f: da:23:b7:4d:a5:b7:48:7b:44:aa:58:8f:42:34:41: a2:51:22:50:50:74:28:99:5f:56:b5:f8:77:26:8e: a1:96:f3:28:10:7c:bf:75:37:a6:45:e7:3a:a2:63: 4f:ec:39:b0:12:51:90:18:7e:e2:a1:9e:76:c7:77: bd:ab:cf:0c:d2:d0:e8:cb:a8:fc:c3:85:94:41:ed: 53:82:f5:0c:32:dc:0d:80:e5:2d:34:f1:9c:e4:98: 2d:93:20:6b:57:78:87:3e:5e:c5:50:45:5a:ac:af: dc:bd:38:c1:3d:31:2c:18:bc:4f:f2:7e:cf:f0:ba: 94:57:54:3e:89:2a:af:37:73:08:4d:b7:e3:e1:bb: 9a:86:6d:f6:73:a3:22:d8:d9:c7:8d:2a:32:8a:be: fa:36:66:54:c1:3a:7a:bd:e6:b8:2b:72:65:1f:c3: 5c:91:ca:bc:44:7b:0b:d2:8f:1c:73:75:ff:5d:ce: cf:31 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Subject Alternative Name: DNS:X201NOTEBOOK_Server, DNS:10.17.40.*, DNS:10.17.40.* X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 7B:A3:68:D6:1D:26:59:91:5D:21:1B:45:99:C4:B2:92:BF:46:1D:29 Signature Algorithm: sha1WithRSAEncryption 61:2e:16:1c:b5:90:72:e8:b6:1c:00:82:5f:7f:70:69:14:e3: 6b:fc:4c:3d:7f:24:f1:85:73:16:21:58:7e:46:4f:b5:97:d3: 5e:92:f0:4e:70:be:28:41:12:65:1e:fd:12:f3:43:d5:96:44: 60:96:3e:52:d8:1f:ae:8b:52:a1:bc:4f:1b:1a:59:2b:8f:5a: 49:1e:21:4b:14:f1:d1:84:b3:fb:58:48:04:27:5f:ac:28:73: 3b:81:c3:39:72:0a:6b:3e:c4:58:a9:a9:75:78:a1:f0:4e:6d: e7:4e:a2:71:22:9d:11:1a:a8:38:03:8c:ff:5c:9d:e0:a2:3a: 39:39:0b:fb:c2:7a:ec:42:4e:fb:fe:53:c1:63:b1:c6:2d:59: 14:82:4f:07:05:9d:91:96:e9:bd:15:c0:ba:f4:da:54:81:2e: 11:f8:b9:86:00:a2:09:fc:7a:f5:c5:2d:44:06:c8:cc:2a:ad: b8:d7:12:90:43:7a:74:81:64:6b:19:db:00:d1:f6:cf:da:b9: c7:49:5e:4d:18:65:6d:ef:c0:0d:b9:9c:d1:27:27:b6:64:0c: 11:5c:0d:a9:54:90:38:aa:61:63:f1:88:ae:d4:1b:40:98:96: 3c:13:e9:97:8e:9f:a4:01:f5:a4:ff:4d:4a:c7:2e:a6:56:63: 82:c0:57:7b -----BEGIN CERTIFICATE----- MIIETDCCAzSgAwIBAgIBDTANBgkqhkiG9w0BAQUFADCBkzEmMCQGA1UEAwwdQ2hh cmxlcyBNaWxscyBDb25zdWx0aW5nLCBMTEMxEzARBgNVBAgMCkNhbGlmb3JuaWEx CzAJBgNVBAYTAlVTMR8wHQYJKoZIhvcNAQkBFhBjaGFybGVzbUBtY24ub3JnMSYw JAYDVQQKDB1DaGFybGVzIE1pbGxzIENvbnN1bHRpbmcsIExMQzAeFw0xNDExMTkx NzA2MjZaFw0xNTExMTkxNzA2MjZaMIGJMSYwJAYDVQQDDB1DaGFybGVzIE1pbGxz IENvbnN1bHRpbmcsIExMQzETMBEGA1UECAwKQ2FsaWZvcm5pYTELMAkGA1UEBhMC VVMxHzAdBgkqhkiG9w0BCQEWEGNoYXJsZXNtQG1jbi5vcmcxHDAaBgNVBAoME1gy MDFOT1RFQk9PS19TZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDCMTdHYHS5t/E+MUDUW3YLpvvXDXWHPnCbG5PSoQyUaLrudesoKN4WJTLTeoxK PzkegrZaiol1zMx3h6+PnMbcskBcigp0PvH1n9ojt02lt0h7RKpYj0I0QaJRIlBQ dCiZX1a1+HcmjqGW8ygQfL91N6ZF5zqiY0/sObASUZAYfuKhnnbHd72rzwzS0OjL qPzDhZRB7VOC9Qwy3A2A5S008ZzkmC2TIGtXeIc+XsVQRVqsr9y9OME9MSwYvE/y fs/wupRXVD6JKq83cwhNt+Phu5qGbfZzoyLY2ceNKjKKvvo2ZlTBOnq95rgrcmUf w1yRyrxEewvSjxxzdf9dzs8xAgMBAAGjgbIwga8wCQYDVR0TBAIwADA2BgNVHREE LzAtghNYMjAxTk9URUJPT0tfU2VydmVyggoxMC4xNy40MC4qggoxMC4xNy40MC4q MB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAsBglghkgBhvhCAQ0EHxYd T3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFHujaNYdJlmR XSEbRZnEspK/Rh0pMA0GCSqGSIb3DQEBBQUAA4IBAQBhLhYctZBy6LYcAIJff3Bp FONr/Ew9fyTxhXMWIVh+Rk+1l9NekvBOcL4oQRJlHv0S80PVlkRglj5S2B+ui1Kh vE8bGlkrj1pJHiFLFPHRhLP7WEgEJ1+sKHM7gcM5cgprPsRYqal1eKHwTm3nTqJx Ip0RGqg4A4z/XJ3gojo5OQv7wnrsQk77/lPBY7HGLVkUgk8HBZ2Rlum9FcC69NpU gS4R+LmGAKIJ/Hr1xS1EBsjMKq241xKQQ3p0gWRrGdsA0fbP2rnHSV5NGGVt78AN uZzRJye2ZAwRXA2pVJA4qmFj8Yiu1BtAmJY8E+mXjp+kAfWk/01Kxy6mVmOCwFd7 -----END CERTIFICATE----- Underlying root: Certificate: Data: Version: 3 (0x2) Serial Number: be:60:c0:40:d6:22:00:f2 Signature Algorithm: sha1WithRSAEncryption Issuer: CN=Charles Mills Consulting, LLC, ST=California, C=US/emailAddress=charles m...@mcn.org, O=Charles Mills Consulting, LLC Validity Not Before: Nov 19 16:55:15 2014 GMT Not After : Nov 16 16:55:15 2024 GMT Subject: CN=Charles Mills Consulting, LLC, ST=California, C=US/emailAddress=charle s...@mcn.org, O=Charles Mills Consulting, LLC Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:bf:d0:88:2c:50:a1:99:68:01:09:1c:90:9b:0e: 59:4b:52:3d:97:78:f2:1f:cc:f8:b9:63:39:54:ee: 3c:5b:3a:65:cb:da:e1:a5:3a:29:3f:61:b6:1d:84: 17:be:cb:00:90:f9:b9:84:5a:02:f4:7d:25:3a:c4: 85:97:14:0b:a8:f4:94:29:20:09:d2:be:d2:7c:49: ec:95:ba:1e:8f:20:a9:f8:6a:cf:08:57:52:2e:4b: d4:19:ab:3d:95:68:0b:96:eb:7a:06:b9:0b:de:bd: a0:3b:e0:49:d8:b9:dd:fd:80:32:a4:29:f0:31:9c: 28:0f:59:b8:10:ab:84:f7:b5:01:41:33:cf:57:ea: 4d:be:56:fc:8d:64:04:43:f4:9c:97:51:e3:14:4b: 6a:75:c4:be:e1:66:e3:e8:b9:45:65:11:e0:8b:5a: ae:7a:2f:d6:05:1d:70:32:45:ee:d6:b9:bd:fe:c7: f2:c9:7a:a4:7d:de:63:4d:88:cb:87:d7:31:0e:a9: f7:9e:aa:e4:a6:96:78:f7:3e:e7:16:7a:09:fa:f1: 0e:7a:97:ae:4d:06:fe:97:25:73:c1:fd:09:e9:09: b2:a3:11:6d:76:5d:4d:d7:da:69:21:14:a3:e4:4a: c8:e9:b4:90:b5:de:c0:6e:81:3f:63:98:a8:93:b0: 18:0f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:TRUE Signature Algorithm: sha1WithRSAEncryption a1:0c:7e:5f:bf:f1:90:19:4d:f6:95:24:33:94:d3:ee:cb:a2: 2f:b3:6f:65:70:90:a2:2e:2d:69:16:2c:ef:85:00:41:47:ee: 1a:0d:d6:89:09:41:0b:7e:de:b5:5d:33:53:f6:98:dd:3b:f4: c9:a3:9e:d1:f6:e6:72:47:16:ed:1a:b9:90:5a:eb:9b:3d:64: a8:66:2d:15:34:99:af:c1:fb:f5:32:9d:6c:00:ee:3b:d9:3c: dc:1b:e0:a4:b1:99:26:ef:be:76:69:71:90:34:b6:8b:25:08: 44:3d:4c:42:8f:2c:5e:ad:c1:28:b5:0d:49:65:72:1b:63:10: a4:8e:31:15:ab:2f:2f:89:79:df:58:60:c9:3c:62:cd:f0:e3: 75:62:85:4e:90:9a:ae:47:48:0d:d8:d6:ef:bd:3b:84:4b:b0: ba:fe:ff:b9:30:33:24:32:a8:91:7a:9a:f5:8a:7f:81:84:c1: 55:76:af:ca:7a:aa:9f:14:03:16:62:b6:e2:17:1a:a4:24:a7: 8d:6f:ea:6a:7c:d5:97:1b:c3:f1:25:f7:34:df:77:64:fe:7b: a1:9f:a0:a4:e5:c0:44:d8:83:dd:4e:b9:78:0d:14:42:9e:96: c3:cd:2b:f1:d6:f4:2d:49:51:68:11:75:32:e5:7a:0f:45:52: bd:8e:b2:89 -----BEGIN CERTIFICATE----- MIIDuzCCAqOgAwIBAgIJAL5gwEDWIgDyMA0GCSqGSIb3DQEBBQUAMIGTMSYwJAYD VQQDDB1DaGFybGVzIE1pbGxzIENvbnN1bHRpbmcsIExMQzETMBEGA1UECAwKQ2Fs aWZvcm5pYTELMAkGA1UEBhMCVVMxHzAdBgkqhkiG9w0BCQEWEGNoYXJsZXNtQG1j bi5vcmcxJjAkBgNVBAoMHUNoYXJsZXMgTWlsbHMgQ29uc3VsdGluZywgTExDMB4X DTE0MTExOTE2NTUxNVoXDTI0MTExNjE2NTUxNVowgZMxJjAkBgNVBAMMHUNoYXJs ZXMgTWlsbHMgQ29uc3VsdGluZywgTExDMRMwEQYDVQQIDApDYWxpZm9ybmlhMQsw CQYDVQQGEwJVUzEfMB0GCSqGSIb3DQEJARYQY2hhcmxlc21AbWNuLm9yZzEmMCQG A1UECgwdQ2hhcmxlcyBNaWxscyBDb25zdWx0aW5nLCBMTEMwggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQC/0IgsUKGZaAEJHJCbDllLUj2XePIfzPi5YzlU 7jxbOmXL2uGlOik/YbYdhBe+ywCQ+bmEWgL0fSU6xIWXFAuo9JQpIAnSvtJ8SeyV uh6PIKn4as8IV1IuS9QZqz2VaAuW63oGuQvevaA74EnYud39gDKkKfAxnCgPWbgQ q4T3tQFBM89X6k2+VvyNZARD9JyXUeMUS2p1xL7hZuPouUVlEeCLWq56L9YFHXAy Re7Wub3+x/LJeqR93mNNiMuH1zEOqfeequSmlnj3PucWegn68Q56l65NBv6XJXPB /QnpCbKjEW12XU3X2mkhFKPkSsjptJC13sBugT9jmKiTsBgPAgMBAAGjEDAOMAwG A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBAKEMfl+/8ZAZTfaVJDOU0+7L oi+zb2VwkKIuLWkWLO+FAEFH7hoN1okJQQt+3rVdM1P2mN079MmjntH25nJHFu0a uZBa65s9ZKhmLRU0ma/B+/UynWwA7jvZPNwb4KSxmSbvvnZpcZA0toslCEQ9TEKP LF6twSi1DUllchtjEKSOMRWrLy+Jed9YYMk8Ys3w43VihU6Qmq5HSA3Y1u+9O4RL sLr+/7kwMyQyqJF6mvWKf4GEwVV2r8p6qp8UAxZituIXGqQkp41v6mp81Zcbw/El 9zTfd2T+e6GfoKTlwETYg91OuXgNFEKelsPNK/HW9C1JUWgRdTLleg9FUr2Osok= -----END CERTIFICATE----- DH: PKCS#3 DH Parameters: (1024 bit) prime: 00:98:61:e7:82:f2:0a:00:cd:9a:26:7d:e3:e1:f2: fa:64:53:00:f4:ea:ce:eb:fe:a8:59:7c:47:f8:44: e2:93:26:69:33:4f:4a:fb:01:f4:67:90:f5:1c:d0: 4f:ce:d7:1f:33:8b:60:35:49:fa:94:dd:3e:1a:58: 6e:ef:4c:88:d4:93:c7:af:a1:7a:f3:d7:9c:f0:4a: 2a:0b:cc:04:bd:a0:61:08:37:ac:8c:c7:67:dc:82: a2:b5:be:97:b9:0d:c3:bf:15:fd:c6:c0:21:0b:e4: e9:e9:ff:c2:5c:8a:49:15:8d:af:99:f9:4d:17:2e: 3f:63:1f:34:bc:1b:08:49:07 generator: 5 (0x5) -----BEGIN DH PARAMETERS----- MIGHAoGBAJhh54LyCgDNmiZ94+Hy+mRTAPTqzuv+qFl8R/hE4pMmaTNPSvsB9GeQ 9RzQT87XHzOLYDVJ+pTdPhpYbu9MiNSTx6+hevPXnPBKKgvMBL2gYQg3rIzHZ9yC orW+l7kNw78V/cbAIQvk6en/wlyKSRWNr5n5TRcuP2MfNLwbCEkHAgEF -----END DH PARAMETERS----- Charles -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Wednesday, November 19, 2014 4:35 PM To: openssl-users@openssl.org Subject: Re: SSL alert number 51 On Wed, Nov 19, 2014, Matt Caswell wrote: > > > On 19/11/14 22:57, Charles Mills wrote: > > > User response: If the error occurred while executing in FIPS mode, > > check that only FIPS key sizes are used. > > Collect a System SSL trace containing the error and then contact > > your service representative. > > > > I can connect between the client and the server using the set of > > parameters under test. They negotiate TLSV1.1 and what you call > > DHE-RSA-AES256-SHA and > > FIPS 140-2 places restrictions on the size of the RSA key that you can > use. I'm not a FIPS 140-2 expert but I believe you have to be > compliant with the various other FIPS standards including FIPS 186-4(?): > > "This Standard specifies three choices for the length of the modulus > (i.e.,nlen): 1024, 2048 and 3072 bits. Federal Government entities > shall generate digital signatures using one or more of these choices." > > So how big is your RSA key on the server? Are you able to post the > certificate? > Also the DH parameter size should be at least 1024 bits. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
