On Tue, Nov 18, 2008, Brad House wrote: > > I'm pretty ignorant when it comes to FIPS, is this a limitation of the > FIPS requirements itself or a limitation of OpenSSL's FIPS validation? >
It is a FIPS requirement. > > Any idea how many root CAs use MD2WithRSAEncryption or any way to work > around it? It appears to be a Verisign cert ... > That is the only one I know of. It is only the root CAs self signaure that uses that algorithm, subordinates use SHA1+RSA. If a self signed root CA using SHA1+RSA existed that would solve things. I've not seen one though and browsers and such like have the MD2 version. It could also be argued that the self signed signature check is redundant so that could be disabled. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]