Thanks guys for all of the clues! I got it working! Long story. Wow, FIPS is a moving target. I re-did my root CA with SHA 256, and my server certificate. I had to move my testing from z/OS V1R13 to z/OS V2R1 -- *apparently* V1R13 does not support TLS V1.2 which as you intimated at some point may be required for things that FIPS requires. (A corollary would seem to be that z/OS V1R13 does not support current FIPS requirements but don't quote me on that.)
Charles -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Friday, November 21, 2014 11:00 AM To: openssl-users@openssl.org Subject: Re: SSL alert number 51 On Fri, Nov 21, 2014, Charles Mills wrote: > Thanks. I guess I may have to open a problem with IBM. The IBM > documentation clearly lists a number of "cipher suites" (at they call > them) that use SHA1 (including the one we (IBM+OpenSSL) default to as > being FIPS 140-2 compliant. > > GSK appears to only support SHA1 and MD5, and MD4 is pretty clearly > not FIP > 140-2 compliant. > > Hmm. I had this note partly composed when Dr. Henson's reply came in. > I am thoroughly mystified. > Could try to connect your client to OpenSSL's s_server utility with the -state (or for 1.0.2 -trace)? If we can find out what message is triggering that error it might give some hints. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
