David Schwartz wrote:
Is this correct for openssl 0.9.8 using FIPS?
test SSL protocol
test ssl3 is forbidden in FIPS mode
*** IN FIPS MODE ***
Available compression methods:
1: zlib compression
SSLv3, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
1 handshakes of 256 bytes done
gmake[1]: *** [test_ssl] Error 1
gmake[1]: Leaving directory
`/usr/source/openssl-0.9.8-stable-SNAP-20080918-fips/test'
gmake: *** [tests] Error 2
If your question is whether SSLv3 should be prohibited in FIPS mode, the
answer is yes. SSLv3's use of MD5 is not acceptable under FIPS rules.
And for more details as to the reasons that SSLv3 is not allowed yet TLSv1 is
see the implementation guidance at:
http://csrc.nist.gov/groups/STM/cmvp/documents/fips140-2/FIPS1402IG.pdf
The details are contained in section 7.1 and specifically refer to footnote 13
which contains:
The problem with SSL 3.0 is the key derivation process that applies to all SSL
3.0 cipher suites: half of the master key that is set up during the SSL key
exchange depends entirely on the MD5 hash function. MD5 is not a FIPS approved
algorithm, and its collision resistance property has recently been broken by
Antoine Joux.
TLS also uses MD5 in the key derivation process, but in a different manner, so
that all of the master key depends on both MD5 and SHA-1, and nothing in TLS
actually depends on MD5 for its security.
Therefore, TLS implementations can be validated under FIPS 140-2, while SSL 3.0
implementations cannot.
TLS is version 3.1 of SSL, and most current servers and clients are capable of
doing both SSL 3.0 and TLS.
William Burr, NIST Security Technology Group
The OpenSSL FIPS Object Module implements technical measures to assist the user
in operating the module in a correct (valid) manner.
Tim.
PGP.sig
Description: PGP signature
