On Thu, Jul 23, 2009 at 12:51:53PM +0200, Dr. Stephen Henson wrote: > Yes in FIPS mode non-compliant ciphersuites are disabled and so should never > be seen. If there is some way to use them which is triggering this in > unmodified OpenSSL 0.9.8k I'd like to know what it is as that's a bug which > should be fixed.
I have not seen the wpa_supplicant changes in question (but would be interested in them if the author would be willing to open source them), so I cannot be sure on what is happening here, but this sounds like non-TLS use of MD5 for some other WPA use case (e.g., EAPOL-Key integrity check when using TKIP). EAP-TLS (and PEAP/TTLS/FAST for that matter) do not allow SSLv2 or SSLv3 to be used and wpa_supplicant enables only TLSv1 for them. As far as the non-TLS options are concerned, I would suggest using WPA2 with CCMP in order to get rid of some MD5 uses. I would be surprised if you could make the end pass whatever criteria FIPS has unless you do this. -- Jouni Malinen PGP id EFC895FA ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
