Finally, I'm getting X509_V_ERR_CERT_SIGNATURE_FAILURE errors when in
fips mode during SSL negotiation, but the same binary, simply telling
it via a config setting not to enter fips mode, works fine. This
is to ssl3.vitalps.net:5003, specifically, but I don't have any reason
to believe other addresses would be different. This was with the
resultant 0.9.8j-pre CVS release compiled against the fipscanister from
v1.2, haven't tried with the v1.2-generated library directly.
The problem is the root CA uses MD2WithRSAEncryption as a signature algorithm
and that is prohibited in FIPS mode.
I'm pretty ignorant when it comes to FIPS, is this a limitation of the
FIPS requirements itself or a limitation of OpenSSL's FIPS validation?
Also, how do you find out the signature algorithm used for the root CA?
I don't see it listed when trying to connect using
openssl s_client -connect host:port -CAfile mycafile.pem
Any idea how many root CAs use MD2WithRSAEncryption or any way to work
around it? It appears to be a Verisign cert ...
Thanks.
-Brad
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager [EMAIL PROTECTED]
