On Mon, Oct 01, 2007, Bill Colvin wrote: > > One might expect that aes-256-cbc would operate the same regardless of > whether it is FIPS mode or not. Am I missing something here? > >
You aren't just using aes-256-cbc you are also using a key derivation algorithm that converts the password into a key of the appropriate length. This derivation algorithm uses MD5 when FIPS mode is disabled for compatibility with previous versions of OpenSSL. In FIPS mode MD5 is forbidden so it uses SHA1 instead. The diferent digests result in diferent keys being derived and the error you see. If you include the "-md sha1" option it should work. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
