Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

2015-04-28 Thread Salz, Rich
> If they have counterparts in TLS that could be used, why wouldn't > the TLS version show up instead ? Because they are *the same* TLS did not take old ciphers and renumber or rename them. ___ openssl-users mailing list To unsubscribe: https://mta.o

Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

2015-04-28 Thread jonetsu
> SSLv3 in the ciphersuite definition means it can be used in > SSLv3 *and later*. A ciphersuite isn't defined once for SSLv3, > and then again for TLS1.0, and again for TLS1.1 etc - its just > defined once and is reused across multiple protocol versions. Yes, this is what I basically understood.

Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

2015-04-28 Thread Matt Caswell
On 28/04/15 13:31, jonetsu wrote: >> That refers to the minimum version of the ciphersuite: it >> doesn't imply that it will only be used in SSLv3 (which is >> disabled in FIPS mode). > > Hmmm... I'm sorry but I do not really understand this. Since openssl is > run in FIPS mode, and since SSLv

Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

2015-04-28 Thread jonetsu
> That refers to the minimum version of the ciphersuite: it > doesn't imply that it will only be used in SSLv3 (which is > disabled in FIPS mode). Hmmm... I'm sorry but I do not really understand this. Since openssl is run in FIPS mode, and since SSLv3 is disabled, then why would the SSLv3 ciphe

Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

2015-04-24 Thread Dr. Stephen Henson
On Fri, Apr 24, 2015, jonetsu wrote: > Hello, > > > In FIPS mode SSL 3.0 is not allowed: that has always been the > > case. > > % openssl version > OpenSSL 1.0.1f 6 Jan 2014 > > % OPENSSL_FIPS=1 openssl ciphers -v | grep SSL > > ECDHE-RSA-AES256-SHASSLv3 > ECDHE-ECDSA-AES256-SHA SSLv3 > D

Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

2015-04-24 Thread jonetsu
Hello, > In FIPS mode SSL 3.0 is not allowed: that has always been the > case. % openssl version OpenSSL 1.0.1f 6 Jan 2014 % OPENSSL_FIPS=1 openssl ciphers -v | grep SSL ECDHE-RSA-AES256-SHASSLv3 ECDHE-ECDSA-AES256-SHA SSLv3 DHE-RSA-AES256-SHA SSLv3 DHE-DSS-AES256-SHA SSLv3 [snip

Re: [openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

2015-04-24 Thread Dr. Stephen Henson
On Fri, Apr 24, 2015, jonetsu wrote: > > ... Along with TLS 1.0 (which is absent from OpenSSL FIPS mode) > > https://www.niap-ccevs.org/pp/pp.cfm?id=CPP_ND_V1.0 > > Specifically: > > "FCS_TLSS_EXT.1.2 The TSF shall deny connections from clients requesting SSL > 1.0, SSL > 2.0, SSL 3.0, TLS 1

[openssl-users] FIPS: SSL 3.0 now forbidden in latest NDCPP update

2015-04-24 Thread jonetsu
Hi, ... Along with TLS 1.0 (which is absent from OpenSSL FIPS mode) https://www.niap-ccevs.org/pp/pp.cfm?id=CPP_ND_V1.0 Specifically: "FCS_TLSS_EXT.1.2 The TSF shall deny connections from clients requesting SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0" "FCS_TLSS_EXT.2.2 The TSF shall deny connections