Actually, the failure is expected.  Since it must not be allowed in
FIPS mode, it has to be tested to make sure that it doesn't
inadvertently fall through and let it happen.

The wording in the tests should be interpreted as, "test that SSL3 is
forbidden in FIPS mode", "test that SSL2 is forbidden in FIPS mode".
Since it's forbidden, it must be proven that the code forbids it.

-Kyle H

On Feb 12, 2008 1:56 PM, PS <[EMAIL PROTECTED]> wrote:
> Hi,
>  One of the tests on the openssl-fips-1.1.2 fails without any warning when I
> try running "make test". Though the test fails, the command continues to
> completion.
>  Specifically this is the snippet of the output where the error occurs:
>  Testing cipher RC4(encrypt/decrypt)
> Key
> 0000 ef 01 23 45 ef 01 23 45 ef 01 23 45 ef 01 23 45
> Plaintext
> 0000 00 00 00 00 00 00 00 00 00 00
> Ciphertext
> 0000 d6 a1 41 a7 ec 3c 38 df bd 61
>
> test SSL protocol
>
> test ssl3 is forbidden in FIPS mode
> *** IN FIPS MODE ***
> 14357:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
> mode:ssl_lib.c:1321:
> 14357:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
> mode:ssl_lib.c:1321:
>
> test ssl2 is forbidden in FIPS mode
> *** IN FIPS MODE ***
> 14363:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
> mode:ssl_lib.c:1321:
>
> 14363:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips
> mode:ssl_lib.c:1321:
> test tls1
> *** IN FIPS MODE ***
> TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 512 bit RSA
>
> test tls1 with server authentication
>
>
>  I know that the error is bound to happen since we are in FIPS mode. But the
> test should have been modified accordingly so that no such errors are
> seen.Is this seen by the openssl developers or am I missing something here?
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to