I have been doing some researching and come across a few posts on Qualys forums / wiki stating that SSLv3 is not FIPS 140-2 compliant. It seems fairly well documented and you will get a "No" with respect to FIPS ready on the web scanner if SSLv3 is allowed. However, I can't seem to find where exactly the source for this viewpoint on SSLv3 is coming from? I'm trying to get one of my sites FIPS 140-2 ready/compliant and can't seem to find it actually documented anywhere what's actually allowed/not allowed here. I don't see any real mention of it pro or con in any of the NIST documents. Furthermore, if I list out ciphers from openssl command line with the "FIPS" directive.. it lists plenty of SSLv3 ciphers.. e.g.:
$ openssl ciphers FIPS -v|grep SSLv3|head -n 5
ECDHE-RSA-AES256-SHA SSLv3 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES256-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AECDH-AES256-SHA SSLv3 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1
Anyone have any guidance on this in writing somewhere? I can't seem to find it being disallowed or allowed and openssl is telling me it's OK.