Michael Kurecka wrote: > Thank you for your help that is definitely a point in the right > direction; however, it leaves me more baffled. I found the only > SSL_CTX_new function that is in the code and it is being passed > the TLSv1_method not an SSLv*_method which is what it should be > according to your statement. So what else could cause it to call > a different method? Is there an attribute of the SSL_CTX structure > that I could display to see what version is going to be called that > I could use to help trace the problem?
Most likely, you're getting a connection from a non-FIPS endpoint that's forcing you to use a protocol that's not FIPS compliant. I'm not sure why you're seeing what you're seeing though -- it should just have reported that it was unable to negotiate compatible protocols (assuming the other end was not capable of TLSv1). It may help to set SSL_OP_NO_SSLv2 and SSL_OP_NOSSLv3. Maybe you're setting FIPS mode too late and incompatible algorithms have already been added? DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
