[openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update
Dr. Stephen Henson
steve at openssl.org
Fri Apr 24 17:27:00 UTC 2015
On Fri, Apr 24, 2015, jonetsu wrote:
>
> ... Along with TLS 1.0 (which is absent from OpenSSL FIPS mode)
>
> https://www.niap-ccevs.org/pp/pp.cfm?id=CPP_ND_V1.0
>
> Specifically:
>
> "FCS_TLSS_EXT.1.2 The TSF shall deny connections from clients requesting SSL
> 1.0, SSL
> 2.0, SSL 3.0, TLS 1.0"
>
> "FCS_TLSS_EXT.2.2 The TSF shall deny connections from clients requesting SSL
> 1.0, SSL
> 2.0, SSL 3.0, TLS 1.0"
>
> In this case, would it be possible to simply compile OpenSSL without support
> for SSL 3.0, while having FIPS mode taking care of the rest ? I do not
> remeber the exact option now, although I'm almost sure there's a compile
> option to exclude SSL 3.0. Am I right and would that work ?
>
In FIPS mode SSL 3.0 is not allowed: that has always been the case. TLS 1.0 is
currently permitted though.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-users
mailing list