Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update
If they have counterparts in TLS that could be used, why wouldn't the TLS version show up instead ? Because they are *the same* TLS did not take old ciphers and renumber or rename them. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update
SSLv3 in the ciphersuite definition means it can be used in SSLv3 *and later*. A ciphersuite isn't defined once for SSLv3, and then again for TLS1.0, and again for TLS1.1 etc - its just defined once and is reused across multiple protocol versions. Yes, this is what I basically understood. What was lacking then in my undestanding, is that : % OPENSSL_FIPS=1 openssl ciphers -v Will not output strictly according to FIPS. Maybe there's no easy way to do that when the definition of a cipher states otherwise. Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-SSL-3-0-now-forbidden-in-latest-NDCPP-update-tp57695p57764.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update
On 28/04/15 13:31, jonetsu wrote: That refers to the minimum version of the ciphersuite: it doesn't imply that it will only be used in SSLv3 (which is disabled in FIPS mode). Hmmm... I'm sorry but I do not really understand this. Since openssl is run in FIPS mode, and since SSLv3 is disabled, then why would the SSLv3 ciphers show up ? If they have counterparts in TLS that could be used, why wouldn't the TLS version show up instead ? SSLv3 in the ciphersuite definition means it can be used in SSLv3 *and later*. A ciphersuite isn't defined once for SSLv3, and then again for TLS1.0, and again for TLS1.1 etc - its just defined once and is reused across multiple protocol versions. Matt ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update
That refers to the minimum version of the ciphersuite: it doesn't imply that it will only be used in SSLv3 (which is disabled in FIPS mode). Hmmm... I'm sorry but I do not really understand this. Since openssl is run in FIPS mode, and since SSLv3 is disabled, then why would the SSLv3 ciphers show up ? If they have counterparts in TLS that could be used, why wouldn't the TLS version show up instead ? Thanks. -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-SSL-3-0-now-forbidden-in-latest-NDCPP-update-tp57695p57762.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update
Hi, ... Along with TLS 1.0 (which is absent from OpenSSL FIPS mode) https://www.niap-ccevs.org/pp/pp.cfm?id=CPP_ND_V1.0 Specifically: FCS_TLSS_EXT.1.2 The TSF shall deny connections from clients requesting SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0 FCS_TLSS_EXT.2.2 The TSF shall deny connections from clients requesting SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0 In this case, would it be possible to simply compile OpenSSL without support for SSL 3.0, while having FIPS mode taking care of the rest ? I do not remeber the exact option now, although I'm almost sure there's a compile option to exclude SSL 3.0. Am I right and would that work ? Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-SSL-3-0-now-forbidden-in-latest-NDCPP-update-tp57695.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update
On Fri, Apr 24, 2015, jonetsu wrote: ... Along with TLS 1.0 (which is absent from OpenSSL FIPS mode) https://www.niap-ccevs.org/pp/pp.cfm?id=CPP_ND_V1.0 Specifically: FCS_TLSS_EXT.1.2 The TSF shall deny connections from clients requesting SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0 FCS_TLSS_EXT.2.2 The TSF shall deny connections from clients requesting SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0 In this case, would it be possible to simply compile OpenSSL without support for SSL 3.0, while having FIPS mode taking care of the rest ? I do not remeber the exact option now, although I'm almost sure there's a compile option to exclude SSL 3.0. Am I right and would that work ? In FIPS mode SSL 3.0 is not allowed: that has always been the case. TLS 1.0 is currently permitted though. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update
Hello, In FIPS mode SSL 3.0 is not allowed: that has always been the case. % openssl version OpenSSL 1.0.1f 6 Jan 2014 % OPENSSL_FIPS=1 openssl ciphers -v | grep SSL ECDHE-RSA-AES256-SHASSLv3 ECDHE-ECDSA-AES256-SHA SSLv3 DHE-RSA-AES256-SHA SSLv3 DHE-DSS-AES256-SHA SSLv3 [snipped] All of the others are TLSv1.2. Why is SSLv3.0 seen in FIPS mode on this install ? TLS 1.0 is currently permitted though. As far as OpenSSL is concerned, will any action to remove TLSv.10 only be taken when put into a FIPS frame, eg. the recent NDCPPv1.0 is not enough ground to make a change ? Regards. -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-SSL-3-0-now-forbidden-in-latest-NDCPP-update-tp57695p57707.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update
On Fri, Apr 24, 2015, jonetsu wrote: Hello, In FIPS mode SSL 3.0 is not allowed: that has always been the case. % openssl version OpenSSL 1.0.1f 6 Jan 2014 % OPENSSL_FIPS=1 openssl ciphers -v | grep SSL ECDHE-RSA-AES256-SHASSLv3 ECDHE-ECDSA-AES256-SHA SSLv3 DHE-RSA-AES256-SHA SSLv3 DHE-DSS-AES256-SHA SSLv3 [snipped] All of the others are TLSv1.2. Why is SSLv3.0 seen in FIPS mode on this install ? That refers to the minimum version of the ciphersuite: it doesn't imply that it will only be used in SSLv3 (which is disabled in FIPS mode). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users