Here's the certificate which is failing: Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: md5WithRSAEncryption Issuer: CN=www.casofti.com, ST=BC, C=CA/emailAddress=dniko...@casofti.com, O=Teradici CA Validity Not Before: Mar 20 23:12:14 2012 GMT Not After : Mar 20 23:12:14 2013 GMT Subject: CN=www.terasofti.com, ST=BC, C=CA, O=tera_test_1024 Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:a8:35:18:8f:a2:4f:79:99:70:57:37:bf:f7:f6: ee:d8:6f:3b:fe:1b:c1:da:be:55:a0:f9:c4:d4:39: a4:99:dd:b3:9f:d4:bd:0a:3a:50:7d:ad:f2:b6:29: 22:b3:3f:1e:c1:45:da:49:8b:43:fd:62:9a:94:c9: bd:f5:54:96:c8:a1:d1:f8:0d:b7:a6:7d:54:00:72: 10:59:13:7c:b1:4f:93:d7:75:76:23:ea:14:8b:f8: f5:59:c8:6a:f4:b7:f6:cd:0f:8e:f9:f5:65:d4:91: af:48:87:3f:fa:da:c0:94:0a:57:5d:7e:fe:32:f8: 70:e4:c8:9f:3d:44:c2:ef:bd Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Signature Algorithm: md5WithRSAEncryption
Is it failing because of the (unapproved) md5 signature algorithm? ... N --- Nou Dadoun ndad...@teradici.com 604-628-1215 -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: June 18, 2012 10:45 AM To: openssl-users@openssl.org Subject: Re: FIPS doesn't verify certificate with 1024-bit keys On Mon, Jun 18, 2012, Nou Dadoun wrote: > > Why is it failing with the fips library and passing with the non-fips library > - does it have anything to do with the 1024 bit key? (i.e. 2048 and 4096-key > certs both work, and the ca cert has a 2048-bit key) > Do you get an additional error from ERR_print_errors_fp(stderr)? Is the key size 1024 bits exactly or 1023? What digest algorithm is used? Is it FIPS approved SHA1 or SHA2 or an unapproved algorithm like MD5? Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org