It was my mistake, I had misunderstood that DES itself was not allowed and therefore derivatives of it were not allowed either.
-Kyle H On Wed, Mar 11, 2009 at 5:43 AM, <carlyo...@keycomm.co.uk> wrote: > > Triple-DES is listed in the OpenSSL 1.2 security policy and is listed as > approved by NIST, so why would it not be available? > > Carl > > > On Wed 11/03/09 12:01 PM , Kyle Hamilton aerow...@gmail.com sent: > > Your key's digest is set to md5. This is disallowed in FIPS mode. > > Also, 3DES is not allowed in FIPS mode, either. > > -Kyle H > > On Tue, Mar 10, 2009 at 3:22 PM, Davin Chan <dsc...@nas.nasa.gov> wrote: >> I am trying to to get mutt to use a FIPS validated OpenSSL to send/receive >> encrypted emails. When >> I don't set the environment variable OPENSSL_FIPS=1, everything works >> fine. >> >> When I try the same command to decrypt an email with OPENSSL_FIPS set, it >> fails with: >> >> env OPENSSL_FIPS=1 openssl smime -decrypt -passin stdin -inform DER -in >> %f -inkey %k -recip %c >> >> unable to load signing key file >> 11851:error:06080090:digital envelope routines:EVP_DigestInit_ex:disabled >> for fips:digest.c:292: >> 11851:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad >> decrypt:evp_enc.c:330: >> 11851:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:428: >> >> And when I try to look at my private key with FIPS enabled, it fails with: >> >> env OPENSSL_FIPS=1 openssl rsa -in -text >> Enter pass phrase for : >> unable to load Private Key >> 12050:error:06080090:digital envelope routines:EVP_DigestInit_ex:disabled >> for fips:digest.c:292: >> 12050:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad >> decrypt:evp_enc.c:330: >> 12050:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:428: >> >> So it looks like it doesn't like the encryption on my private key. The >> default encryption on my key should be >> triple DES, but I've also tried to change the encryption on my key to >> aes256, but it still fails with the same >> message. How do I get my private key into a format acceptable to FIPS? >> Or is there something else that I'm >> missing? >> >> Davin >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-us...@openssl.org >> Automated List Manager majord...@openssl.org >> > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
