[openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

Matt Caswell matt at openssl.org
Tue Apr 28 12:58:35 UTC 2015

On 28/04/15 13:31, jonetsu wrote:
>> That refers to the minimum version of the ciphersuite: it
>> doesn't imply that it will only be used in SSLv3 (which is
>> disabled in FIPS mode).
> Hmmm...  I'm sorry but I do not really understand this.  Since openssl is
> run in FIPS mode, and since SSLv3 is disabled, then why would the SSLv3
> ciphers show up ?  If they have counterparts in TLS that could be used, why
> wouldn't the TLS version show up instead ?

SSLv3 in the ciphersuite definition means it can be used in SSLv3 *and
later*. A ciphersuite isn't defined once for SSLv3, and then again for
TLS1.0, and again for TLS1.1 etc - its just defined once and is reused
across multiple protocol versions.


More information about the openssl-users mailing list