While ssl handshake happens, getting error Operation not allowed in fips mode

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

While ssl handshake happens, getting error Operation not allowed in fips mode

B Venkateswarlu

Hello, 

   While the SSL handshake is happening,I am getting the error as below 
SSL_connect error:0408E09E:rsa routines:PKEY_RSA_SIGN:operation not allowed in fips mode.
ssl handshake went well up to client sending key exchange to server and failing in the process of send client verify. Why this error happens ? and How to overcome this ? 

Background: 
 1.  I built Openssl in FIPS mode. From the supplicant (application) I called FIPS_mode_set(1) API. In my use-case I am trying to connect WPA2 Enterprise Wi-Fi network which has EAP-TLS configured (used radius server to setup EAP-TLS).   

2. From the network packets it is confirmed that the client and the server agreed on to use TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher suit. Also found that if in case TLS_RSA_WITH_AES_256_CBC_SHA256 cipher suit is selected  then also it throws the same above mentioned error. 

3. I am using openssl verson 1.0.2f(client side). radius server(3.0.11) . Server is running in ubuntu 14.04 

  Please let me know if you need any further information. 

                              Thank you in advance. 

Regards, 
Venkat.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: While ssl handshake happens, getting error Operation not allowed in fips mode

Jakob Bohm-7
On 04/05/2016 08:15, mani kanta wrote:

>
> Hello,
>
>    While the SSL handshake is happening,I am getting the error as below
> SSL_connect error:0408E09E:rsa routines:PKEY_RSA_SIGN:operation not
> allowed in fips mode.
> ssl handshake went well up to client sending key exchange to server
> and failing in the process of send client verify. Why this error
> happens ? and How to overcome this ?
>
> Background:
>  1.  I built Openssl in FIPS mode. From the supplicant (application) I
> called FIPS_mode_set(1) API. In my use-case I am trying to connect
> WPA2 Enterprise Wi-Fi network which has EAP-TLS configured (used
> radius server to setup EAP-TLS).
>
> 2. From the network packets it is confirmed that the client and the
> server agreed on to use TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 cipher
> suit. Also found that if in case TLS_RSA_WITH_AES_256_CBC_SHA256
> cipher suit is selected  then also it throws the same above mentioned
> error.
>
> 3. I am using openssl verson 1.0.2f(client side). radius
> server(3.0.11) . Server is running in ubuntu 14.04
>
>
Is your RSA key too short (FIPS mode imposes a minimum key
length by refusing to use shorter keys).



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users