On Mon, Mar 2, 2009 at 1:49 PM, Dr. Stephen Henson <st...@openssl.org> wrote: > On Mon, Mar 02, 2009, Kyle Hamilton wrote: > >> >> A question: Is there/should there be a "FIPSCOMPAT" or equivalent >> string which can be added to the cipher string, to add all >> FIPS-specified ciphers to the cipher list? (I would also suggest >> "FIPS" as a standalone cipher string, which would only be valid if the >> library were already running in FIPS-validated mode.) >> > > The set of FIPS comparible ciphersuites is represented by the string "FIPS". > > In FIPS mode you cannot select any other ciphersuites: non FIPS ciphersuites > are disabled.
Would it make any sense to allow an administrator to attempt to ensure FIPS-compliant mode via the use of the "FIPS" protocol string, making it an error if the library is not in FIPS mode? In FIPS mode, can specific FIPS-validated ciphers be enabled or disabled after the "FIPS" protocol string is provided? -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
