Lior Aharoni wrote: > I have encountered a problem when trying to use OpenSSL command to > decode PKCS12 file, I am using OpenSSL 0.9.8j that was build with FIPS > support enabled.
> When working in non FIPS mode I perform the following operation successfully: > K:\>openssl > OpenSSL> pkcs12 -in k:\server.p12.pfx > When I am in FIPS mode and perform the same operation I get the following error: > Error outputting keys and certificates > 7956:error:0607B090:digital envelope routines:EVP_CipherInit_ex:disabled for fips:.\crypto\evp > \enc_min.c:306: This means your PKCS12 file uses some algorithm that is not permitted in FIPS mode. > Can someone shed light on why this does not work in FIPS mode? In FIPS mode, only algorithms permitted in FIPS mode are permitted. Algorithms that are not permitted in FIPS mode are not permitted. > How does this functionality contradict the FIPS requirements? It's hard to say without seeing the PKCS12 file. MD5 would be my guess. > Is there and alternative that I can use that will work in FIPS mode? This is a crazy question. It is doing what you asked it to do. You want to know how to get it to do something else without changing what you are asking? This is working. When you ask for FIPS mode, you are specifically saying you would prefer failure to using an insecure algorithm. It is failing rather than using an insecure algorithm, which is exactly what you asked for. If you want something else, you have to ask for something else. Again, correct operation in FIPS mode is to fail when interoperability that is prohibited by FIPS is attempted. It is one of the major requirements of FIPS mode. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
