cURL / Mailing Lists / curl-library / Single Mail

curl-library

Not getting past TLS handshake when FIPS mode in libcurl

From: Trent, Michael <Michael.Trent_at_xerox.com>
Date: Tue, 6 Oct 2009 12:00:36 -0700

In our environment, libcurl is linked in with openSSL 0.9.8k and
associated FIPS module. It is linked into our client application.

 

When setting openSSL FIPS mode (FIPS_mode_set(1)), the TLS handshaking
reply seemed to be ignored on communications with the server.

 

The client linked with libcurl sends a TLS HELLO with a list of
supported crypto strings and the server picks one and replies. The
client appears to ignore the server reply and resubmits the HELLO, then
fails after the response.

 

We have not problem when FIPS is not turned on:

Without FIPS turned on the client sends a TLS HELLO with a longer list
of crypto strings which include non FIPS allowed strings, and the server
picks a non FIPS allowed string and replies with that. In this case the
TLS normal handshaking occurs and the client does not fail.

 

Any idea? Does libcurl not support the stronger encryption of FIPS (AES
encryption, and SHA digest)?

 

(apache code httpd works find in FIPS mode using the same openSSL. The
TLS handshaking is fine with the apache server).

 

Thanks,

Mike

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2009-10-06