In 1.0.1e the following is observed when using OpenSSL in FIPS mode:
% OPENSSL_FIPS=1 openssl pkcs12 -export -in /tmp/ipsec.d/certs/192.168.11.1 -inkey /tmp/ipsec.d/private/192.168.11.1 -name 192.168.11.1 -out /tmp/ipsec.d/192.168.11.1.p12 -password pass:"" 3067167952:error:060A60A3:digital envelope routines:FIPS_CIPHERINIT:disabled for fips:fips_enc.c:142: 3067167952:error:06074078:digital envelope routines:EVP_PBE_CipherInit:keygen failure:evp_pbe.c:205: 3067167952:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:83: 3067167952:error:2306C067:PKCS12 routines:PKCS12_item_i2d_encrypt:encrypt error:p12_decr.c:175: 3067167952:error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt error:p12_add.c:202: In 'Re: PKCS12 keystore creation failing in fips mode' (May 29, 2013 9:15pm) the following is said: "That's a bug in 1.0.1 in that it tries to use an unapproved algorithm in FIPS mode. Workaround: use the -descert option." It is not possible for us to upgrade OpenSSL, but it would be possible to apply a patch. Does a patch exist that fixes this problem and if so, where can it be found ? I do not know how development is organized for OpenSSL (bug tracker, git ?) Thanks ! _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users