On Mon, Nov 04, 2013, Fredrik Jansson wrote:
> Steve, thanks for getting back!
>
> Since I could not reproduce this using s_client and s_server I set out to
> take the code I am using into a sample project.
>
> Doing so I believe I have found the issue, SSL_CTX_set_cipher(ctx,
> SSL_TXT_PSK) returns an error ("SSL routines:SSL_CTX_set_cipher_list:no
> cipher match") if I have called FIPS_mode_set(1) first.
>
> My original code did not check the return value of SSL_CTX_set_cipher so
> that may very well be the cause of the subsequent crash.
>
> Now my question becomes why I cannot select SSL_TXT_PSK when in FIPS mode?
>
The ciphersuites supported in FIPS mode are restricted to those which use
approved algorithms. PSK at present is not listed though there isn't really
any reason why it can't be included in future.
To test this add the flag SSL_FIPS to the relevant ciphersuits in s3_lib.c
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
