I am trying to test the Fips capable openssl and when i am testing it i am getting some error
openssl req -x509 -newkey rsa:2048 -out $HOME/exampleca/cacert.pem -outform PEM Generating a 2048 bit RSA private key ....................................................................................+++ ......+++ writing new private key to '//exampleca/private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- digest.c(150): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored IOT/Abort trap(coredump) There is another error also when i am issuing the smime command Data Base Updated openssl smime -encrypt -in /server_req/mail.txt -des3 -out /server_req/mail.enc /exampleca/certs/01.pem in smime command Enter pass phrase for /server_req/server_priv_key.pem: unable to load signing key file 704646:error:0608008D:digital envelope routines:EVP_DigestInit:disabled for fips:digest.c:237: 704646:error:06065064:digital envelope routines:EVP_DecryptFinal:bad decrypt:evp_enc.c:509: 704646:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:423: Does this means that this function (EVP_DigestInit) is not supported by fips mode Please help me Thanks Joshi On Thu, Sep 25, 2008 at 5:55 AM, Steve Marquess <[EMAIL PROTECTED]>wrote: > David Schwartz wrote: > > In many cases, FIPS actually results in (you might reasonably think, at > least) reduced security. ... > > > > C) Quasi-FIPS. All FIPS rules are followed, except where it is genuinely > believed that these rules reduce security or are unreasonably impractical. > For example, obvious bugfixes might be allowed, even if the code hadn't been > re-FIPS checked. In the case of OpenSSL, you might allow changes to > optimization or code generation flags. An "obviously correct" optimized SHA1 > algorithm might be used, even if it hasn't been approved yet. (Or if it > wasn't selected for the platform due to a detection bug.) > > > IMHO it's hard to argue that FIPS *validated* software isn't clearly > less secure in a real world sense, simply due to the fact that the > validation process by its very nature provides heavy disincentives to > the aggressive and proactive pursuit of suspected security vulnerabilities. > > Frankly you shouldn't use FIPS validated software unless specifically > required to for formal policy compliance reasons. > > Use of FIPS *compliant* cryptography (strong crypto and FIPS approved > algorithms) is another matter, but then you're not artificially > constraining your options for identifying and correcting implementation > vulnerabilities. > > -Steve M. > > -- > Steve Marquess > Open Source Software institute > [EMAIL PROTECTED] > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > -- Regards Joshi Chandran
