1 files changed, 16 insertions, 0 deletions
diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c
index c45a8e0a04..bc918170e1 100644
--- a/src/lib/libssl/s23_clnt.c
+++ b/src/lib/libssl/s23_clnt.c
@@ -257,6 +257,14 @@ static int ssl23_client_hello(SSL *s)
                        version_major = TLS1_VERSION_MAJOR;
                        version_minor = TLS1_VERSION_MINOR;
                        }
+#ifdef OPENSSL_FIPS
+                else if(FIPS_mode())
+                        {
+                        SSLerr(SSL_F_SSL23_CLIENT_HELLO,
+                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                        return -1;
+                        }
+#endif
                else if (version == SSL3_VERSION)
                        {
                        version_major = SSL3_VERSION_MAJOR;
@@ -536,6 +544,14 @@ static int ssl23_get_server_hello(SSL *s)
                if ((p[2] == SSL3_VERSION_MINOR) &&
                        !(s->options & SSL_OP_NO_SSLv3))
                        {
+#ifdef OPENSSL_FIPS
+                        if(FIPS_mode())
+                                {
+                                SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
+                                        SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
+                                goto err;
+                                }
+#endif
                        s->version=SSL3_VERSION;
                        s->method=SSLv3_client_method();
                        }

diff --git a/src/lib/libssl/s23_clnt.c b/src/lib/libssl/s23_clnt.c index c45a8e0a04..bc918170e1 100644 --- a/src/lib/libssl/s23_clnt.c +++ b/src/lib/libssl/s23_clnt.c
@@ -257,6 +257,14 @@ static int ssl23_client_hello(SSL *s)
257	version_major = TLS1_VERSION_MAJOR;	257	version_major = TLS1_VERSION_MAJOR;
258	version_minor = TLS1_VERSION_MINOR;	258	version_minor = TLS1_VERSION_MINOR;
259	}	259	}
		260	#ifdef OPENSSL_FIPS
		261	else if(FIPS_mode())
		262	{
		263	SSLerr(SSL_F_SSL23_CLIENT_HELLO,
		264	SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
		265	return -1;
		266	}
		267	#endif
260	else if (version == SSL3_VERSION)	268	else if (version == SSL3_VERSION)
261	{	269	{
262	version_major = SSL3_VERSION_MAJOR;	270	version_major = SSL3_VERSION_MAJOR;
@@ -536,6 +544,14 @@ static int ssl23_get_server_hello(SSL *s)
536	if ((p[2] == SSL3_VERSION_MINOR) &&	544	if ((p[2] == SSL3_VERSION_MINOR) &&
537	!(s->options & SSL_OP_NO_SSLv3))	545	!(s->options & SSL_OP_NO_SSLv3))
538	{	546	{
		547	#ifdef OPENSSL_FIPS
		548	if(FIPS_mode())
		549	{
		550	SSLerr(SSL_F_SSL23_GET_SERVER_HELLO,
		551	SSL_R_ONLY_TLS_ALLOWED_IN_FIPS_MODE);
		552	goto err;
		553	}
		554	#endif
539	s->version=SSL3_VERSION;	555	s->version=SSL3_VERSION;
540	s->method=SSLv3_client_method();	556	s->method=SSLv3_client_method();
541	}	557	}