On Wed, May 18, 2011, Henrik Grindal Bakken wrote: > "Dr. Stephen Henson" <st...@openssl.org> writes: > > > On Mon, May 16, 2011, Henrik Grindal Bakken wrote: > > > >> This sounded a bit weird to me, since I've tried my best to set up > >> my application to use only FIPS-validated algorithms, but to no > >> avail. I added some debugging printouts to my libcrypto, and from > >> what I could understand, the digest in question is MD5. When I > >> patched openssl to say MD5 was a FIPS-approved digest, it worked. > >> > >> The program I'm using is attached, and also output from a separate > >> 'openssl s_client -connect -showcerts'. > >> > >> Does anyone have any ideas as to why MD5 appears in this handshake? > > > > MD5 is a mandatory algorithm for TLS 1.1 and 1.0. As a result the > > use of MD5 is permitted solely for use in TLS in FIPS mode. Handling > > this requires some exception code in the ssl library which isn't > > currently in place for HEAD. > > Aha. I'll work around this by allowing MD5 for the time being, I > think. Thanks for your response. >
This should work now as the FIPS capable code has been added to the ssl library. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
