cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: Not getting past TLS handshake when FIPS mode in libcurl

From: Daniel Stenberg <daniel_at_haxx.se>
Date: Tue, 13 Oct 2009 05:48:09 +0200 (CEST)

On Tue, 6 Oct 2009, Trent, Michael wrote:

> When setting openSSL FIPS mode (FIPS_mode_set(1)), the TLS handshaking
> reply seemed to be ignored on communications with the server.

...

> We have not problem when FIPS is not turned on:

This so makes it sound and feel like the problem is in the OpenSSL FIPS module
and not in libcurl. Why do you suspect libcurl at all in the first place?

> Without FIPS turned on the client sends a TLS HELLO with a longer list of
> crypto strings which include non FIPS allowed strings, and the server picks
> a non FIPS allowed string and replies with that. In this case the TLS normal
> handshaking occurs and the client does not fail.

Right, as FIPS limits what cryptos that can be used.

> Any idea? Does libcurl not support the stronger encryption of FIPS (AES
> encryption, and SHA digest)?

This is not a libcurl problem since as you say it works fine with OpenSSL
without the FIPS stuff. The handshaking and the crypto layer stuff is all done
by OpenSSL (or alternative lib).

-- 
  / daniel.haxx.se
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2009-10-13