Got it! The only password encryption algorithm (PBE) supported for FIPS mode is pbeWithSha1And3DesCbc.
In OpenSSL PCKS12, I needed to add -certpbe PBE-SHA1-3DES Sheesh! Would a more specific error message kill them? Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Charles Mills Sent: Monday, November 6, 2017 5:41 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: What cryptographic algorithm is not supported? Okay, I got trace information out of gskkyman. What do you make of this? INFO crypto_des3_encrypt_ctx(): Clear key DES3 encryption performed for 8 bytes INFO crypto_des3_decrypt_ctx(): Clear key DES3 decryption performed for 8 bytes INFO crypto_des3_encrypt_ctx_alet(): Clear key DES3 encryption performed for 8 bytes INFO crypto_des3_decrypt_ctx_alet(): Clear key DES3 decryption performed for 8 bytes INFO crypto_aes_encrypt_ctx(): Clear key AES 128-bit encryption performed for 16 bytes INFO crypto_aes_decrypt_ctx(): Clear key AES 128-bit decryption performed for 16 bytes INFO crypto_aes_encrypt_ctx_alet(): Clear key AES 128-bit encryption performed for 16 bytes INFO crypto_aes_decrypt_ctx_alet(): Clear key AES 128-bit decryption performed for 16 bytes INFO crypto_aes_encrypt_ctx(): Clear key AES 256-bit encryption performed for 16 bytes INFO crypto_aes_decrypt_ctx(): Clear key AES 256-bit decryption performed for 16 bytes INFO crypto_aes_encrypt_ctx_alet(): Clear key AES 256-bit encryption performed for 16 bytes INFO crypto_aes_decrypt_ctx_alet(): Clear key AES 256-bit decryption performed for 16 bytes INFO crypto_rsa_public_encrypt(): RSA modulus is 2048 bits INFO crypto_rsa_public_encrypt(): Software RSA public key encryption performed INFO crypto_rsa_private_decrypt(): Using PKCS private key INFO crypto_rsa_private_decrypt(): RSA modulus is 2048 bits INFO crypto_rsa_private_decrypt(): Software RSA private key decryption performed INFO open_kdb_check_filedata(): Record size 5000, Record count 12 INFO gsk_build_issuer_chains(): Record 'Equifax Secure Certificate Authority' is self-signed INFO gsk_build_issuer_chains(): Record 'Equifax Secure eBusiness CA-2' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 1 Public Primary CA - G2' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 2 Public Primary CA - G2' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA - G2' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 4 Public Primary CA - G2' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 1 Public Primary CA - G3' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 2 Public Primary CA - G3' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA - G3' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 4 Public Primary CA - G3' is self-signed INFO gsk_build_issuer_chains(): Record 'VeriSign Class 3 Public Primary CA - G5' is self-signed INFO gsk_build_issuer_chains(): Record 'CMC_root_Exp_2024a' is self-signed INFO open_kdb_check_filedata(): Record size 5000, Record count 0 ERROR crypto_pbe_decrypt_data(): Algorithm 36 is not supported for PBE ERROR import_pkcs12v3(): Unable to decrypt EncryptedData message: Error 0x03353003 ERROR gsk_decode_import_key(): Unable to import PKCS12 V3: Error 0x03353003 ERROR gsk_import_key(): Unable to decode subject certificate or chain: Error 0x03353003 Algorithm 36 (cipher suite 36?) is TLS_DH_DSS_WITH_AES_256_CBC_SHA. Where does that come into the picture? What is PBE? ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN