> From: openssl-users On Behalf Of Dr. Stephen Henson > Sent: Wednesday, January 21, 2015 09:28 > On Wed, Jan 21, 2015, John Laundree wrote: > > > Ok, so I will naively ask the question "How does one do TLS 1.0/1.1 in FIPS > mode? Or is this no longer allowed, i.e. TLS 1.2 only?" > > The use of MD5 for TLS 1.0/1.1 is treated as an exception which is allowed in > FIPS mode but general MD5 use is not. > To be exact, as I read it, the TLS1.0/1.1 *PRF* *combines* MD5+SHA1 for handshake/keyexchange, and is Approved on the basis that the combination is secure even if MD5 is not. The SSL3 PRF combines them more weakly and isn't Approved so SSL3 protocol is prohibited. Suites using (pure) HMAC-MD5 for data are not Approved, in any protocol version. And as you say MD5 as such is not allowed anywhere.
