On 04/05/2016 08:15, mani kanta wrote: > > Hello, > > While the SSL handshake is happening,I am getting the error as below > SSL_connect error:0408E09E:rsa routines:PKEY_RSA_SIGN:operation not > allowed in fips mode. > ssl handshake went well up to client sending key exchange to server > and failing in the process of send client verify. Why this error > happens ? and How to overcome this ? > > Background: > 1. I built Openssl in FIPS mode. From the supplicant (application) I > called FIPS_mode_set(1) API. In my use-case I am trying to connect > WPA2 Enterprise Wi-Fi network which has EAP-TLS configured (used > radius server to setup EAP-TLS). > > 2. From the network packets it is confirmed that the client and the > server agreed on to use TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher > suit. Also found that if in case TLS_RSA_WITH_AES_256_CBC_SHA256 > cipher suit is selected then also it throws the same above mentioned > error. > > 3. I am using openssl verson 1.0.2f(client side). radius > server(3.0.11) . Server is running in ubuntu 14.04 > > Is your RSA key too short (FIPS mode imposes a minimum key length by refusing to use shorter keys). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
