On Wed, Nov 19, 2014, Matt Caswell wrote: > > > On 19/11/14 22:57, Charles Mills wrote: > > > User response: If the error occurred while executing > > in FIPS mode, check that only FIPS key sizes are used. > > Collect a System SSL trace containing the error and > > then contact your service representative. > > > > I can connect between the client and the server using the set of parameters > > under test. They negotiate TLSV1.1 and what you call DHE-RSA-AES256-SHA and > > FIPS 140-2 places restrictions on the size of the RSA key that you can > use. I'm not a FIPS 140-2 expert but I believe you have to be compliant > with the various other FIPS standards including FIPS 186-4(?): > > "This Standard specifies three choices for the length of the modulus > (i.e.,nlen): 1024, 2048 and 3072 bits. Federal Government entities shall > generate digital signatures using one or more of these choices." > > So how big is your RSA key on the server? Are you able to post the > certificate? >
Also the DH parameter size should be at least 1024 bits. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
