David Schwartz wrote:
>Most likely, you're getting a connection from a non-FIPS endpoint that's
>forcing you to use a protocol that's not FIPS compliant. I'm not sure why
>you're seeing what you're seeing though -- it should just have reported
that
>it was unable to negotiate compatible protocols (assuming the other end was
>not capable of TLSv1).
>It may help to set SSL_OP_NO_SSLv2 and SSL_OP_NOSSLv3.
I believe these options are being set. The following code is being called
after the TLSv1_method() and before the assertion with the
SSL_OP_NO_COMPRESSION not being set.
options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_SINGLE_DH_USE;
#ifdef SSL_OP_NO_COMPRESSION
options |= SSL_OP_NO_COMPRESSION;
#endif
SSL_set_options(conn->ssl, options);
>Maybe you're setting FIPS mode too late and incompatible algorithms have
>already been added?
FIPS is being enabled in the first line of the code
Dr. Steve:
How do I enable debug? I want to make sure I have it set right as it takes a
while to rebuild.
