Re: [openssl-users] (2013) : PKCS12 keystore creation failing in fips mode (RT3515)
On Wed, Nov 11, 2015, jonetsu wrote: > Hello, > > > There is a thread in 2013 (30 May 03:15) in which Steve writes that OpenSSL > 1.0.1 has a bug regarding the use of PKCS12 in FIPS mode since it tries to > handle a certificate using a non-FIPS component. I think I found the commit > that fixes this, although it is part of a quite huge commit of 33,065 lines > (7e1b7485706c2b11091b5fa897fe496a2faa56cc) done earlier this year. > > > There is perhaps a simpler commit that fixes only this issue > (92830dc1ca0bb2d12bf05a12ebb798709595fa5a) although I can't see the commit in > the git tree I have fetched last week, even by branching to > remotes/origin/OpenSSL_1_0_1-stable. > > > We are using 1.0.1.e. My question is, was bug RT3515 included in a later > 1.0.1 release ? If so, which one ? > Try commit cdb6c48445ded3daafab32e5f266943d07bb512b Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] (2013) : PKCS12 keystore creation failing in fips mode (RT3515)
Hello, There is a thread in 2013 (30 May 03:15) in which Steve writes that OpenSSL 1.0.1 has a bug regarding the use of PKCS12 in FIPS mode since it tries to handle a certificate using a non-FIPS component. I think I found the commit that fixes this, although it is part of a quite huge commit of 33,065 lines (7e1b7485706c2b11091b5fa897fe496a2faa56cc) done earlier this year. There is perhaps a simpler commit that fixes only this issue (92830dc1ca0bb2d12bf05a12ebb798709595fa5a) although I can't see the commit in the git tree I have fetched last week, even by branching to remotes/origin/OpenSSL_1_0_1-stable. We are using 1.0.1.e. My question is, was bug RT3515 included in a later 1.0.1 release ? If so, which one ? (If you can also clear up why the patch is not seen... :) Much appreciated, thanks. ___ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: PKCS12 keystore creation failing in fips mode
Hello Steve , Thanks for your response. Is there a corresponding API where we can impose this descert option? -Anamitra On 5/29/13 6:15 PM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, May 29, 2013, Anamitra Dutta Majumdar (anmajumd) wrote: We are trying to create pkcs12 keystore in FIPS mode using OpenSSL 1.0.1 and it fails with the following error 9uo8bYe2YpDmqEgC[root@vos-i/usr/local/platform/bin/openssl pkcs12 -export -in tomcat.pem -inkey ../keys/tomcat_priv.pem -out tomcat.keystore Enter Export Password: Verifying - Enter Export Password: 4151633544:error:060A60A3:digital envelope routines:FIPS_CIPHERINIT:disabled for fips:fips_enc.c:142: 4151633544:error:06074078:digital envelope routines:EVP_PBE_CipherInit:keygen failure:evp_pbe.c:205: 4151633544:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:83: 4151633544:error:2306C067:PKCS12 routines:PKCS12_item_i2d_encrypt:encrypt error:p12_decr.c:175: 4151633544:error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt error:p12_add.c:202: The same command works in FIPS mode. So I have the following questions 1. Is there a way to work around issue and still be able to create pkcs12 format keystore in FIPS mode. 2. This command worked in earlier version of openssl like 0.9.8l in FIPS mode. What has changed in 1.0.1 That it has stopped working in FIPS mode. Any pointers will be appreciated. That's a bug in 1.0.1 in that it tries to use an unapproved algorithm in FIPS mode. Workaround: use the -descert option. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12 keystore creation failing in fips mode
On Thu, May 30, 2013, Anamitra Dutta Majumdar (anmajumd) wrote: Hello Steve , Thanks for your response. Is there a corresponding API where we can impose this descert option? If you are using PKCS12_create() just set the certificate PBE algorithm to NID_pbe_WithSHA1And3_Key_TripleDES_CBC Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
PKCS12 keystore creation failing in fips mode
We are trying to create pkcs12 keystore in FIPS mode using OpenSSL 1.0.1 and it fails with the following error 9uo8bYe2YpDmqEgC[root@vos-i/usr/local/platform/bin/openssl pkcs12 -export -in tomcat.pem -inkey ../keys/tomcat_priv.pem -out tomcat.keystore Enter Export Password: Verifying - Enter Export Password: 4151633544:error:060A60A3:digital envelope routines:FIPS_CIPHERINIT:disabled for fips:fips_enc.c:142: 4151633544:error:06074078:digital envelope routines:EVP_PBE_CipherInit:keygen failure:evp_pbe.c:205: 4151633544:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:83: 4151633544:error:2306C067:PKCS12 routines:PKCS12_item_i2d_encrypt:encrypt error:p12_decr.c:175: 4151633544:error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt error:p12_add.c:202: The same command works in FIPS mode. So I have the following questions 1. Is there a way to work around issue and still be able to create pkcs12 format keystore in FIPS mode. 2. This command worked in earlier version of openssl like 0.9.8l in FIPS mode. What has changed in 1.0.1 That it has stopped working in FIPS mode. Any pointers will be appreciated. Thanks, Anamitra __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12 keystore creation failing in fips mode
On Wed, May 29, 2013, Anamitra Dutta Majumdar (anmajumd) wrote: We are trying to create pkcs12 keystore in FIPS mode using OpenSSL 1.0.1 and it fails with the following error 9uo8bYe2YpDmqEgC[root@vos-i/usr/local/platform/bin/openssl pkcs12 -export -in tomcat.pem -inkey ../keys/tomcat_priv.pem -out tomcat.keystore Enter Export Password: Verifying - Enter Export Password: 4151633544:error:060A60A3:digital envelope routines:FIPS_CIPHERINIT:disabled for fips:fips_enc.c:142: 4151633544:error:06074078:digital envelope routines:EVP_PBE_CipherInit:keygen failure:evp_pbe.c:205: 4151633544:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:83: 4151633544:error:2306C067:PKCS12 routines:PKCS12_item_i2d_encrypt:encrypt error:p12_decr.c:175: 4151633544:error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt error:p12_add.c:202: The same command works in FIPS mode. So I have the following questions 1. Is there a way to work around issue and still be able to create pkcs12 format keystore in FIPS mode. 2. This command worked in earlier version of openssl like 0.9.8l in FIPS mode. What has changed in 1.0.1 That it has stopped working in FIPS mode. Any pointers will be appreciated. That's a bug in 1.0.1 in that it tries to use an unapproved algorithm in FIPS mode. Workaround: use the -descert option. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org