Thank you Dr Stephen for looking into this thread. I isolated the issue to the problem in how I built the FIPS module - I was running the build on a 64-bit machine and on a 64-bit machine the FIPS by default builds a 64-bit binary (this is indicated in the User Guide); although I am not sure yet how this 64-bit binary compiled successfully with a 32-bit OpenSSL configuration. Is there a FIPS compliant way to compile for 32-bit on a 64-bit machine. I used a hack - changing the env PROCESSOR_ARCHITECTURE to x86; the right way is probably to use a 32-bit environment.
_Sunil On Sun, Mar 16, 2014 at 11:23 AM, Sunil <[email protected]> wrote: > correction to previous comment. FIPS was built with 'no-asm' too. > > _Sunil > > On Mar 15, 2014, at 7:24 PM, Sunil <[email protected]> wrote: > > I hope you are using s_server/s_client with OPENSSL_FIPS=1. > > Below are the steps I used in building OpenSSL with FIPS, please let me > know if anything is unusual here: > > FIPS: > > ms\do_fips.bat > > OpenSSL-FIPS: > > perl Configure VC-WIN32 no-asm no-rc5 no-idea no-ec2m fips > --with-fipslibdir=<fips_install_path> --prefix=c:\somedir\openssl\dir > ms\do_ms.bat > nmake -f ms\ntdll.mak > > Thanks, > Sunil > > > > On Sat, Mar 15, 2014 at 5:21 PM, Dr. Stephen Henson [via OpenSSL] <[hidden > email] <http://user/SendEmail.jtp?type=node&node=48859&i=0>> wrote: > >> On Sat, Mar 15, 2014, Sunil wrote: >> >> > I had some issues when compiling without the "no-asm" option; this can >> > probably be fixed with configuring the right paths. I haven't dug into >> > getting the performance gain since I was focused on resolving the bad >> > record mac error. If it seems related to the issue, then I can work on >> > getting it compiled without the "no-asm" option. >> > >> > Here is the output from cl: >> > >> > Microsoft (R) C/C++ Optimizing Compiler Version 17.00.51106.1 for x86 >> > >> That's odd. I have exactly the same version and don't have any problems >> with >> s_server/s_client even with no-asm. The only possible difference is I'm >> using >> the latest 1.0.1 snapshot but that shouldn't matter. >> >> Steve. >> -- >> Dr Stephen N. Henson. OpenSSL project core developer. >> Commercial tech support now available see: http://www.openssl.org >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> Development Mailing List [hidden >> email]<http://user/SendEmail.jtp?type=node&node=48857&i=0> >> Automated List Manager [hidden >> email]<http://user/SendEmail.jtp?type=node&node=48857&i=1> >> >> >> ------------------------------ >> If you reply to this email, your message will be added to the >> discussion below: >> >> http://openssl.6102.n7.nabble.com/FIPS-capable-OpenSSL-on-windows-failing-with-bad-record-mac-failure-in-a-TLSv1-2-handshake-tp48853p48857.html >> To unsubscribe from FIPS capable OpenSSL on windows failing with bad >> record mac failure in a TLSv1.2 handshake, click here. >> NAML<http://openssl.6102.n7.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml> >> > > > ------------------------------ > View this message in context: Re: FIPS capable OpenSSL on windows failing > with bad record mac failure in a TLSv1.2 > handshake<http://openssl.6102.n7.nabble.com/FIPS-capable-OpenSSL-on-windows-failing-with-bad-record-mac-failure-in-a-TLSv1-2-handshake-tp48853p48859.html> > > Sent from the OpenSSL - Dev mailing list > archive<http://openssl.6102.n7.nabble.com/OpenSSL-Dev-f29372.html>at > Nabble.com. > >
