Re: [openssl-users] OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt in FIPS mode

2016-02-19 Thread Dr. Stephen Henson 
On Fri, Feb 19, 2016, Neptune wrote:

> failedcert.crt  
>  
> 
> Hello all,
> I've attached a .crt certificate file that we are experiencing a problem
> with. When trying to process this certificate using the PKCS7_decrypt( )
> function. The error string is:
> 
> OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt:decrypt error
> 
> This only happens in FIPS mode so we suspect a weak cipher, but I'm unable
> to glean any specified error that would verify this suspicion. I was hoping
> someone would be nice enough to inspect this file and verify if there is any
> non-FIPS-iness. I don't want to point fingers at the environment without
> proof.
> 

Well that link is not an certificate but a PKCS#7 signed data structure whose
content is itself a PKCS#7 enveloped data structure.

You mentioned PKCS7_decrypt() so that may be a referenceto the inner content.
Analysing that with asn1parse shows that it is using single DES as the content
encryption algorithm (56 bits) which is not approved in FIPS mode. So I
suspect that is the cause.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt in FIPS mode

2016-02-19 Thread Neptune 
failedcert.crt   

Hello all,
I've attached a .crt certificate file that we are experiencing a problem
with. When trying to process this certificate using the PKCS7_decrypt( )
function. The error string is:

OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt:decrypt error

This only happens in FIPS mode so we suspect a weak cipher, but I'm unable
to glean any specified error that would verify this suspicion. I was hoping
someone would be nice enough to inspect this file and verify if there is any
non-FIPS-iness. I don't want to point fingers at the environment without
proof.

Thanks for any help!



--
View this message in context: 
http://openssl.6102.n7.nabble.com/OPENSSL-error-21072077-PKCS7-routines-PKCS7-decrypt-in-FIPS-mode-tp63828.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users