On Fri, Jul 24, 2009, Michael Kurecka wrote:
> I finally succeeded in adding debug to openssl, but it doesn't seem to
> be working completely. I was able to set the breakpoint at the point
> you mentioned Dr. Henson but I'm not sure how that will tell me what
> is being called. I am not able to break on ssl3_init_finished_mac,
> ssl3_connect or SSL_connect for some reason. Here is the trace and
> let me know what I should do from here.
>
> Breakpoint 2, EVP_DigestInit_ex (ctx=0xb712c, type=0x40188908, impl=0x0)
> at digest.c:292
> 292
> EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS);
> (gdb) bt
> #0 EVP_DigestInit_ex (ctx=0xb712c, type=0x40188908, impl=0x0) at digest.c:292
> #1 0x4003ff70 in ssl3_init_finished_mac () from /usr/lib/libssl.so.0.9.8
> #2 0x4003e534 in ssl3_connect () from /usr/lib/libssl.so.0.9.8
> #3 0x4004ebf4 in SSL_connect () from /usr/lib/libssl.so.0.9.8
> #4 0x00075150 in tls_connection_handshake (ssl_ctx=<value optimized out>,
> conn=0xb6dd0, in_data=0xb8e08 "\224á,@\224á,@\020", in_len=0,
> out_len=0xb6cf0, appl_data=0xbecf5218, appl_data_len=0xbecf5214)
> at ../src/crypto/tls_openssl.c:1797
That does help. It looks like you are using the standard libssl from whatever
linux distro you have and not one designed to use a FIPS capable OpenSSL. As
a result it wont set the flags that make MD5 usable and you get that error.
You need to make sure you are using libssl from 0.9.8k and not the earlier
system one. You can check that libssl is FIPS capable by doing something like
this:
nm -D /usr/lib/libssl.so.0.9.8 | grep FIPS_mode
If you see something like:
U FIPS_mode
is is FIPS capable, if you see nothing it is not.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
