On Thu, Mar 24, 2016, Glen Matthews wrote: > Hi > > Yes it's a standard build. FIPS 2.0 with openssl 1.0.2g - I took a dump when the dialog box was displayed, and that's how I got the call stack. > > if (x->ex_flags & EXFLAG_SET) > return; > #ifndef OPENSSL_NO_SHA > X509_digest(x, EVP_sha1(), x->sha1_hash, NULL); > #endif > > I inspected the values in x509v3_cache_extensions() - the code above is from the beginning of it - and the test fails, so we drop down into the digest call. > Something strange is going on and I'm not sure what yet. At he start of EVP_DigestInit_ex() the implementation should be switched to the validated module version which then should never call the prohibited low level calls. When you say it's a standard build you've presumably followed the FIPS module build instructions to the letter and produced the FIPS capable OpenSSL from that? Is there anything unusual you are doing like using an ENGINE for some operations?` Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
