On Tue, Nov 18, 2008, Brad House wrote: >>> Second, it doesn't describe which version of the OpenSSL API that the >>> newly-validated module supports. (in this case, it supports v0.9.8 >>> (and requires 0.9.8i onward), but I dunno about 0.9.7?) Providing >>> compatibility with a version bump in the API is significant enough >>> that it should be called out in the press release. >>> >> It is 0.9.8j onward which hasn't been released yet but it will be in the >> next >> few days. In the meantime a 0.9.8 snapshot needs to be used. > > FYI, I pulled the 0.9.8 stable CVS branch this afternoon to test fips > and had jpake compilation issues (missing jpake.h header file, removing > the Makefile references resolved the build issue). Hopefully that is fixed > before 0.9.8j release. >
Should be fixed now. > Also, I didn't see an updated Users Guide for v1.2, so I hope > the build is pretty much the same as v1.1.x: > ./config --with-fipslibdir=<wherever> fips > Yes. > Finally, I'm getting X509_V_ERR_CERT_SIGNATURE_FAILURE errors when in > fips mode during SSL negotiation, but the same binary, simply telling > it via a config setting not to enter fips mode, works fine. This > is to ssl3.vitalps.net:5003, specifically, but I don't have any reason > to believe other addresses would be different. This was with the > resultant 0.9.8j-pre CVS release compiled against the fipscanister from > v1.2, haven't tried with the v1.2-generated library directly. > > Just thought I'd pass that on since people were already in discussion > here to see if anyone else has had similar issues. I've yet to actually > debug it further, need to write a test case to see if it occurs there > first or somehow my fault in some other way ;) > The problem is the root CA uses MD2WithRSAEncryption as a signature algorithm and that is prohibited in FIPS mode. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
