Re: Issue with Private key with FIPS enabled openssl

Wed, 11 Mar 2009 05:01:41 -0700 

Your key's digest is set to md5.  This is disallowed in FIPS mode.

Also, 3DES is not allowed in FIPS mode, either.

-Kyle H

On Tue, Mar 10, 2009 at 3:22 PM, Davin Chan <dsc...@nas.nasa.gov> wrote:
> I am trying to to get mutt to use a FIPS validated OpenSSL to send/receive 
> encrypted emails.  When
> I don't set the environment variable OPENSSL_FIPS=1, everything works fine.
>
> When I try the same command to decrypt an email with OPENSSL_FIPS set, it 
> fails with:
>
> env OPENSSL_FIPS=1 openssl smime -decrypt  -passin stdin -inform DER -in %f 
> -inkey %k -recip %c
>
> unable to load signing key file
> 11851:error:06080090:digital envelope routines:EVP_DigestInit_ex:disabled for 
> fips:digest.c:292:
> 11851:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad 
> decrypt:evp_enc.c:330:
> 11851:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:428:
>
> And when I try to look at my private key with FIPS enabled, it fails with:
>
> env OPENSSL_FIPS=1 openssl rsa -in <file> -text
> Enter pass phrase for <file>:
> unable to load Private Key
> 12050:error:06080090:digital envelope routines:EVP_DigestInit_ex:disabled for 
> fips:digest.c:292:
> 12050:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad 
> decrypt:evp_enc.c:330:
> 12050:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:428:
>
> So it looks like it doesn't like the encryption on my private key.  The 
> default encryption on my key should be
> triple DES, but I've also tried to change the encryption on my key to aes256, 
> but it still fails with the same
> message.  How do I get my private key into a format acceptable to FIPS?  Or 
> is there something else that I'm
> missing?
>
> Davin
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-us...@openssl.org
> Automated List Manager                           majord...@openssl.org
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to