AnsweredAssumed Answered

FIPS-Ready checks

Question asked by Peter Thoenen on Feb 23, 2012
Latest reply on Oct 25, 2012 by tmgraves

So the question I have is what is the exact criteria SSL Labs FIPS 140-2 checks when one fails it's FIPS ready?  I asking this in a roundabout troubleshooting way.

 

Basically I have site that works with non-schannel users (i.e. Chrome) but fails with schannel users (i.e. Internet Explorer).  I know for a fact this is a result of a GP that enables FIPS compliance in Windows (part of the USGCB standard) as I have troubleshooted toggling it on and off.  The intial tests showed the offending site to be non-FIPS cipher compliant but that has since been resolved.  That being said SSL Labs shows the site still as non-FIPS compliant and schannel still fails leading me to believe I am missing something obvious.  So at this point I'm trying to figure out what check the site is failing with SSL Labs as it's probably causing schannel to fail also so I can fix it

 

Offending Site: https://www.ssllabs.com/ssldb/analyze.html?d=ops13web%2enws%2enoaa%2egov

 

My gut tells me this is the problem: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa)

 

Both NIST SP800-52 and FIPS 140-2 state that cipher is a valid FIPS 140-2 cipher.  Microsoft also confirms as valid schannel in http://msdn.microsoft.com/en-us/library/windows/desktop/ff468651(v=vs.85).aspx

 

That being said my gut is also telling me there was a NIST 800-52 or FIP 140-2 addedum that prohibited this and that that cipher was removed from schannel in Windows 7 SP1 / Windows 2000 R2 [and Microsoft hasn't published an updated schannel document].  I'm thinking possibly it's related to FIPS 180-3 and the depreciation of SHA1.

 

So back to the orginal question, why is this site failing (per SSL Labs) FIPS Ready?  I'm missing something and won't be offended in the sligthest if it's obvious

Outcomes