On Fri, Mar 14, 2014, Sunil wrote: > I have OpenSSL 1.0.1f built with OpenSSL-FIPS-2.0.5 using VS2012 and I have > gone past the issue with fingerprint mismatch using the compiler flag > /DYNAMICBASE:no for both MFLAGS and LFLAGS. However, when using the tool > openssl.exe (with OPENSSL_FIPS=1 in the env) in client-server mode > (s_server/s_client) I am seeing the following error during the TLS > handshake: > > 3060:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad > record mac:.\ssl\s3_pkt.c:484: > > I am using commands like below: > > openssl s_server -accept 443 -key <key> -keyform PKCS12 -pass <pass> -tls1_2 > -cert <cert_file> -certform PEM -no_dhe -no_ecdhe > > openssl s_clent -connect <server_ip>:443 -tls1_2 > > Note: > > 1. I have built openssl & fips module with no-asm option > 2. I have tried suggestions on using OPENSSL_ia32cap (I am not sure if it > makes sense because I used no-asm) with no change in the end result. > 3. I have also tried disabling all other versions of TLS and SSL v2 &v3. > 4. I have verified the communication using Wireshark & Openssl option -msg > -debug -state: ClientHello & ServerHello complete and client sends the > ChangeCipherSpec and that's when Server responds with bad record mac. > > PS: On Linux, with the same version of OpenSSL & FIPS used, I did not see > any error in the handshake; provided both server & agent are using the > openssl compiled for Linux. If I replace any end with a OpenSSL running on > Windows, I get the bad record mac error. > > Any help/suggestion on resolving this issue is greatly appreciated. >
If you use "no-asm" you'll get considerably reduced performance and no tested Windows platform has used "no-asm". So I'd suggest you don't include that option. What version of the compiler are you using? Try "cl" from the command prompt. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
