On Fri, Apr 24, 2015, jonetsu wrote: > > ... Along with TLS 1.0 (which is absent from OpenSSL FIPS mode) > > https://www.niap-ccevs.org/pp/pp.cfm?id=CPP_ND_V1.0 > > Specifically: > > "FCS_TLSS_EXT.1.2 The TSF shall deny connections from clients requesting SSL > 1.0, SSL > 2.0, SSL 3.0, TLS 1.0" > > "FCS_TLSS_EXT.2.2 The TSF shall deny connections from clients requesting SSL > 1.0, SSL > 2.0, SSL 3.0, TLS 1.0" > > In this case, would it be possible to simply compile OpenSSL without support > for SSL 3.0, while having FIPS mode taking care of the rest ? I do not > remeber the exact option now, although I'm almost sure there's a compile > option to exclude SSL 3.0. Am I right and would that work ? > In FIPS mode SSL 3.0 is not allowed: that has always been the case. TLS 1.0 is currently permitted though. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
