On Thu, Jun 18, 2009, Lior Aharoni wrote: > Hello, > > I have encountered a problem when trying to use OpenSSL command to decode > PKCS12 file, I am using OpenSSL 0.9.8j that was build with FIPS support > enabled. > > When working in non FIPS mode I perform the following operation > successfully: > * > > K:\>openssl > > OpenSSL> pkcs12 -in k:\server.p12.pfx > * > > When I am in FIPS mode and perform the same operation I get the following > error: > * > > Error outputting keys and certificates > > 7956:error:0607B090:digital envelope routines:EVP_CipherInit_ex:disabled for > fips:.\crypto\evp\enc_min.c:306: > > 7956:error:06074078:digital envelope routines:EVP_PBE_CipherInit:keygen > failure:.\crypto\evp\evp_pbe.c:101: > > 7956:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit > error:.\crypto\pkcs12\p12_decr.c:83: > > 7956:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt > error:.\crypto\pkcs12\p12_decr.c:123: > > error in pkcs12 > * > > Can someone shed light on why this does not work in FIPS mode? How does this > functionality contradict the FIPS requirements? >
Most browser output PKCS#12 files use 40 bit RC2 to encrypt certificates. That algorithm is not permitted in FIPS mode. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
