Folks, I have run into an issue with FIPS Object Module that has me stumped. I have a multi-platform non-gui C++ application that uses boost::asio with OpenSSL under the covers for network communications. It is mature code over two years old. For Windows it is built on Windows XPSP3 for both 32-bit and 64-bit platforms and for Linux on RHEL5.3 for 32-bit and 64-bit platforms. Nightly, we run extended automated tests on all our platforms. For Windows we test the application on both 32-bit and 64-bit variants of Windows XP, 2003, 2008, Vista and Windows 7. The automated testing heavily exercises SSL communications.
A couple of weeks ago I updated OpenSSL to v1.0.1c and added the FIPS Object Module v2.0.1. After building a FIPS Capable OpenSSL as specified it was straightforward to add FIPS mode to my application. The change was seamless with full operation on all Linux platforms, all Windows 64-bit platforms but we had issues with FIPS on 32-bit Windows 2008, Vista and Windows 7 platforms. It works on 32-bit Windows XP and 2003 but not on the newer 32-bit versions of Windows. I tried all combinations of static and dll linkage, release and debug builds and the results were 100% deterministic: On the newer Windows 32-bit platforms FIPS_mode_set() always fails with error: "error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match". Next I tried both OpenSSL 1.0.1d and 1.0.1e with FIPS 2.0.2 and had the same results. Lastly, to make sure it wasn't my application that is causing the issue I wrote a simple test application that does one thing, call FIPS_mode_set(). The failure pattern was exactly the same. Works on all 64-bit Windows, works on 32-bit Windows XP and 2003 but fails on Windows 2008, Vista and Windows 7. Anyone have any ideas? Thanks, Gwen -- Gwendolyn Hunt Senior Software Engineer gh...@tripwire.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
