[openssl-users] Help With CipherSpecs

Lesley Kimmel lesley.j.kimmel at gmail.com
Tue Apr 11 13:23:31 UTC 2017

Hi All!

I'm not an expert, by any means, with cipher suites, etc. I am working with
an HTTPD server where I am not able to set the server/kernel to FIPS mode
nor am I able to set the HTTPD server (openssl) to FIPS mode. However, I am
able to modify the SSLCipherSuite directive.

Doing some playing around with the 'openssl ciphers' command I was able to
determine that:

openssl ciphers 'FIPS:!aNULL'

Seems to be equivalent to: 'OPENSSL_FIPS=1 openssl ciphers'

I sort of stumbled on this based on a couple forums that I found. It seems
the 'FIPS' alias for the Cipherspec is undocumented but appears to work.

Can anyone validate if this seems correct?

Also, I gather that the cipherspec is not all that is limited by using FIPS
mode. Are there any other settings of httpd that I might set to better
approximate FIPS mode?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170411/df5f678b/attachment-0001.html>

More information about the openssl-users mailing list