David Schwartz wrote: >Most likely, you're getting a connection from a non-FIPS endpoint that's >forcing you to use a protocol that's not FIPS compliant. I'm not sure why >you're seeing what you're seeing though -- it should just have reported that >it was unable to negotiate compatible protocols (assuming the other end was >not capable of TLSv1).
>It may help to set SSL_OP_NO_SSLv2 and SSL_OP_NOSSLv3. I believe these options are being set. The following code is being called after the TLSv1_method() and before the assertion with the SSL_OP_NO_COMPRESSION not being set. options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_SINGLE_DH_USE; #ifdef SSL_OP_NO_COMPRESSION options |= SSL_OP_NO_COMPRESSION; #endif SSL_set_options(conn->ssl, options); >Maybe you're setting FIPS mode too late and incompatible algorithms have >already been added? FIPS is being enabled in the first line of the code Dr. Steve: How do I enable debug? I want to make sure I have it set right as it takes a while to rebuild.