Thanks. I guess I may have to open a problem with IBM. The IBM documentation clearly lists a number of "cipher suites" (at they call them) that use SHA1 (including the one we (IBM+OpenSSL) default to as being FIPS 140-2 compliant.
GSK appears to only support SHA1 and MD5, and MD4 is pretty clearly not FIP 140-2 compliant. Hmm. I had this note partly composed when Dr. Henson's reply came in. I am thoroughly mystified. Charles -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Matt Caswell Sent: Friday, November 21, 2014 7:04 AM To: openssl-users@openssl.org Subject: Re: SSL alert number 51 On 21/11/14 14:43, Charles Mills wrote: > I posted the certificates. What's next? > > Charles The key sizes look ok to me. As I said I'm no FIPS expert, but this page http://wiki.openssl.org/index.php/FIPS_mode_and_TLS says the following: "The RSA key in the certificate has to be of suitable size (2048 bits minimum) as do all other keys in the chain and none of the CAs can sign using SHA1." But your certificates say: Signature Algorithm: sha1WithRSAEncryption So I'm wondering if that is the problem? Failing that you may need to approach IBM since the alert is being generated from their code. Matt ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
