On 19/11/14 22:57, Charles Mills wrote: > Dave - > > Thanks much. > >> Either there's a bug somewhere or you are being attacked (MitM'ed). > > Unlikely I am being MitM'ed -- the connection is over a VPN. (Why TLS when > there is already a VPN in place? I am testing TLS software and the VPN is a > fact of life and my only client to server link. > >> Do you mean the server, running 1.0.1h on Win7, produced this error > message, or some client talking *to* such a server produced the error? > > Statement was kind of ambiguous, wasn't it? The server, which is OpenSSL > 1.0.1h 5 Jun 2014, produced this message, when the client attempted to > connect. > > The client is application software that uses the IBM GSK crypto library on > z/OS. The error message at the client end is Error code 9 returned from GSK > function gsk_secure_socket_init(): Cryptographic processing error. It is my > code that produces that exact message, but the 9 comes back from the > indicated method and the text comes from a system function, gsk_strerror(9). > The documentation says > > 9 Cryptographic processing error. > Explanation: An error is detected by a cryptographic > function. This error may also occur if key sizes that are > non-FIPS are used during an SSL handshake while > operating in FIPS mode.
My guess is that this last sentence is the cause of your problem. > User response: If the error occurred while executing > in FIPS mode, check that only FIPS key sizes are used. > Collect a System SSL trace containing the error and > then contact your service representative. > > I can connect between the client and the server using the set of parameters > under test. They negotiate TLSV1.1 and what you call DHE-RSA-AES256-SHA and FIPS 140-2 places restrictions on the size of the RSA key that you can use. I'm not a FIPS 140-2 expert but I believe you have to be compliant with the various other FIPS standards including FIPS 186-4(?): "This Standard specifies three choices for the length of the modulus (i.e.,nlen): 1024, 2048 and 3072 bits. Federal Government entities shall generate digital signatures using one or more of these choices." So how big is your RSA key on the server? Are you able to post the certificate? Matt ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
