AnsweredAssumed Answered

Is SSLv3 really not FIPS 140-2 compliant?

Question asked by Sven Boxer on Sep 7, 2014
Latest reply on Sep 9, 2014 by Ivan Ristić

I have been doing some researching and come across a few posts on Qualys forums / wiki stating that SSLv3 is not FIPS 140-2 compliant. It seems fairly well documented and you will get a "No" with respect to FIPS ready on the web scanner if SSLv3 is allowed. However, I can't seem to find where exactly the source for this viewpoint on SSLv3 is coming from? I'm trying to get one of my sites FIPS 140-2 ready/compliant and can't seem to find it actually documented anywhere what's actually allowed/not allowed here. I don't see any real mention of it pro or con in any of the NIST documents. Furthermore, if I list out ciphers from openssl command line with the "FIPS" directive.. it lists plenty of SSLv3 ciphers.. e.g.:

 

$ openssl ciphers FIPS -v|grep SSLv3|head -n 5

ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1

ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1

DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1

DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1

AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1

 

***

 

Anyone have any guidance on this in writing somewhere? I can't seem to find it being disallowed or allowed and openssl is telling me it's OK.

 

thanks

Outcomes