On Fri, Jan 08, 2016, jonetsu wrote: > Hello, > > Using 1.0.1e running FIPS module 2.0.9, the following two > commands for querying the ciphers do not yield the same results. > There are more ciphers declared in the 'string' version. > > The 'environment variable' version: > > % OPENSSL_FIPS=1 openssl ciphers -v | > > The 'string' version: > > % openssl ciphers -v 'FIPS' > > In the 'string' version only: > > > Is the 'environment variable' usage broken ? > No: the two are not equivalent. The environment variable version lists the default ciphers with the non-FIPS ciphers filtered out. When you specify FIPS as the cipher string it specifies all ciphers which can be used in FIPS mode including those not in the default list. Specifically the default cipher string omits anonymous cipher suites. If you do: OPENSSL_FIPS=1 openssl ciphers -v ALL you should get the same result as the FIPS cipher string. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
