I have OpenSSL 1.0.1f built with OpenSSL-FIPS-2.0.5 using VS2012 and I have gone past the issue with fingerprint mismatch using the compiler flag /DYNAMICBASE:no for both MFLAGS and LFLAGS. However, when using the tool openssl.exe (with OPENSSL_FIPS=1 in the env) in client-server mode (s_server/s_client) I am seeing the following error during the TLS handshake:
3060:error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac:.\ssl\s3_pkt.c:484: I am using commands like below: openssl s_server -accept 443 -key <key> -keyform PKCS12 -pass <pass> -tls1_2 -cert <cert_file> -certform PEM -no_dhe -no_ecdhe openssl s_clent -connect <server_ip>:443 -tls1_2 Note: 1. I have built openssl & fips module with no-asm option 2. I have tried suggestions on using OPENSSL_ia32cap (I am not sure if it makes sense because I used no-asm) with no change in the end result. 3. I have also tried disabling all other versions of TLS and SSL v2 &v3. 4. I have verified the communication using Wireshark & Openssl option -msg -debug -state: ClientHello & ServerHello complete and client sends the ChangeCipherSpec and that's when Server responds with bad record mac. PS: On Linux, with the same version of OpenSSL & FIPS used, I did not see any error in the handshake; provided both server & agent are using the openssl compiled for Linux. If I replace any end with a OpenSSL running on Windows, I get the bad record mac error. Any help/suggestion on resolving this issue is greatly appreciated. _Sunil -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-capable-OpenSSL-on-windows-failing-with-bad-record-mac-failure-in-a-TLSv1-2-handshake-tp48853.html Sent from the OpenSSL - Dev mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
