On Tue, Feb 08, 2011, anmajumd wrote: > > > > Call to PEM_read_bio_PrivateKey function returns the following SSL Error in > FIPS mode. > > error:06080090:digital envelope routines:EVP_DigestInit_ex:disabled for fips > error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt > error:0906A065:PEM routines:PEM_do_header:bad decrypt > > PEM_read_bio_PrivateKey would read the header in the private key and > retrieve the encryption cipher, then it would try to generate the key using > EVP_BytesToKey by passing MD5 as its second parameter. Since MD5 is > hard-coded as the second parameter, any key file containing a header which > specifies an encryption cipher would fail to be loaded in FIPS mode since > MD5 is not allowed in FIPS mode. > > > > > > Is this a known issue that has been resolved in a later release of OpenSSL.? > >
Since MD5 is not allowed in FIPS mode you cannot read keys which use the "traditional format" for encryption. You can use PKCS#8 format keys which can use SHA1 or other digests: in fips mode PKCS#8 format is used by default. Newer versions of OpenSSL also use PKCS#8 by default. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
