"Dr. Stephen Henson" <st...@openssl.org> writes: > On Mon, May 16, 2011, Henrik Grindal Bakken wrote: > >> >> Hi. I'm trying to test the current CVS HEAD with >> FIPS_set_module_mode(1). >> >> It's looking fairly promising to me, but I currently have one problem: >> While performing an SSL handshake, I get >> 1208113320:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled >> for fips:fips_md.c:179: > > The rest of OpenSSL cannnot currently use the FIPS module correctly > in all cases. You'll get quite a few problems like this. For now > only the things in README.FIPS will work.
Okay. >> This sounded a bit weird to me, since I've tried my best to set up >> my application to use only FIPS-validated algorithms, but to no >> avail. I added some debugging printouts to my libcrypto, and from >> what I could understand, the digest in question is MD5. When I >> patched openssl to say MD5 was a FIPS-approved digest, it worked. >> >> The program I'm using is attached, and also output from a separate >> 'openssl s_client -connect -showcerts'. >> >> Does anyone have any ideas as to why MD5 appears in this handshake? > > MD5 is a mandatory algorithm for TLS 1.1 and 1.0. As a result the > use of MD5 is permitted solely for use in TLS in FIPS mode. Handling > this requires some exception code in the ssl library which isn't > currently in place for HEAD. Aha. I'll work around this by allowing MD5 for the time being, I think. Thanks for your response. -- Henrik Grindal Bakken <h...@ifi.uio.no> PGP ID: 8D436E52 Fingerprint: 131D 9590 F0CF 47EF 7963 02AF 9236 D25A 8D43 6E52 ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
