Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

2015-04-28 Thread Salz, Rich
If they have counterparts in TLS that could be used, why wouldn't the TLS version show up instead ? Because they are *the same* TLS did not take old ciphers and renumber or rename them. ___ openssl-users mailing list To unsubscribe:

Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

2015-04-28 Thread jonetsu
SSLv3 in the ciphersuite definition means it can be used in SSLv3 *and later*. A ciphersuite isn't defined once for SSLv3, and then again for TLS1.0, and again for TLS1.1 etc - its just defined once and is reused across multiple protocol versions. Yes, this is what I basically understood.

Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

2015-04-28 Thread Matt Caswell
On 28/04/15 13:31, jonetsu wrote: That refers to the minimum version of the ciphersuite: it doesn't imply that it will only be used in SSLv3 (which is disabled in FIPS mode). Hmmm... I'm sorry but I do not really understand this. Since openssl is run in FIPS mode, and since SSLv3 is

Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

2015-04-28 Thread jonetsu
That refers to the minimum version of the ciphersuite: it doesn't imply that it will only be used in SSLv3 (which is disabled in FIPS mode). Hmmm... I'm sorry but I do not really understand this. Since openssl is run in FIPS mode, and since SSLv3 is disabled, then why would the SSLv3 ciphers

[openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

2015-04-24 Thread jonetsu
Hi, ... Along with TLS 1.0 (which is absent from OpenSSL FIPS mode) https://www.niap-ccevs.org/pp/pp.cfm?id=CPP_ND_V1.0 Specifically: FCS_TLSS_EXT.1.2 The TSF shall deny connections from clients requesting SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0 FCS_TLSS_EXT.2.2 The TSF shall deny connections

Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

2015-04-24 Thread Dr. Stephen Henson
On Fri, Apr 24, 2015, jonetsu wrote: ... Along with TLS 1.0 (which is absent from OpenSSL FIPS mode) https://www.niap-ccevs.org/pp/pp.cfm?id=CPP_ND_V1.0 Specifically: FCS_TLSS_EXT.1.2 The TSF shall deny connections from clients requesting SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0

Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

2015-04-24 Thread jonetsu
Hello, In FIPS mode SSL 3.0 is not allowed: that has always been the case. % openssl version OpenSSL 1.0.1f 6 Jan 2014 % OPENSSL_FIPS=1 openssl ciphers -v | grep SSL ECDHE-RSA-AES256-SHASSLv3 ECDHE-ECDSA-AES256-SHA SSLv3 DHE-RSA-AES256-SHA SSLv3 DHE-DSS-AES256-SHA SSLv3

Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

2015-04-24 Thread Dr. Stephen Henson
On Fri, Apr 24, 2015, jonetsu wrote: Hello, In FIPS mode SSL 3.0 is not allowed: that has always been the case. % openssl version OpenSSL 1.0.1f 6 Jan 2014 % OPENSSL_FIPS=1 openssl ciphers -v | grep SSL ECDHE-RSA-AES256-SHASSLv3 ECDHE-ECDSA-AES256-SHA SSLv3