It was my mistake, I had misunderstood that DES itself was not allowed
and therefore derivatives of it were not allowed either.

-Kyle H

On Wed, Mar 11, 2009 at 5:43 AM,  <carlyo...@keycomm.co.uk> wrote:
>
> Triple-DES is listed in the OpenSSL 1.2 security policy and is listed as
> approved by NIST, so why would it not be available?
>
> Carl
>
>
> On Wed 11/03/09 12:01 PM , Kyle Hamilton aerow...@gmail.com sent:
>
> Your key's digest is set to md5. This is disallowed in FIPS mode.
>
> Also, 3DES is not allowed in FIPS mode, either.
>
> -Kyle H
>
> On Tue, Mar 10, 2009 at 3:22 PM, Davin Chan <dsc...@nas.nasa.gov> wrote:
>> I am trying to to get mutt to use a FIPS validated OpenSSL to send/receive
>> encrypted emails.  When
>> I don't set the environment variable OPENSSL_FIPS=1, everything works
>> fine.
>>
>> When I try the same command to decrypt an email with OPENSSL_FIPS set, it
>> fails with:
>>
>> env OPENSSL_FIPS=1 openssl smime -decrypt  -passin stdin -inform DER -in
>> %f -inkey %k -recip %c
>>
>> unable to load signing key file
>> 11851:error:06080090:digital envelope routines:EVP_DigestInit_ex:disabled
>> for fips:digest.c:292:
>> 11851:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
>> decrypt:evp_enc.c:330:
>> 11851:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:428:
>>
>> And when I try to look at my private key with FIPS enabled, it fails with:
>>
>> env OPENSSL_FIPS=1 openssl rsa -in -text
>> Enter pass phrase for :
>> unable to load Private Key
>> 12050:error:06080090:digital envelope routines:EVP_DigestInit_ex:disabled
>> for fips:digest.c:292:
>> 12050:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
>> decrypt:evp_enc.c:330:
>> 12050:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:428:
>>
>> So it looks like it doesn't like the encryption on my private key.  The
>> default encryption on my key should be
>> triple DES, but I've also tried to change the encryption on my key to
>> aes256, but it still fails with the same
>> message.  How do I get my private key into a format acceptable to FIPS?
>>  Or is there something else that I'm
>> missing?
>>
>> Davin
>> ______________________________________________________________________
>> OpenSSL Project                                 http://www.openssl.org
>> User Support Mailing List                    openssl-us...@openssl.org
>> Automated List Manager                           majord...@openssl.org
>>
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List openssl-users@openssl.org
> Automated List Manager majord...@openssl.org
>
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to