On Fri, Feb 19, 2016, Neptune wrote: > failedcert.crt <http://openssl.6102.n7.nabble.com/file/n63828/failedcert.crt> > > Hello all, > I've attached a .crt certificate file that we are experiencing a problem > with. When trying to process this certificate using the PKCS7_decrypt( ) > function. The error string is: > > OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt:decrypt error > > This only happens in FIPS mode so we suspect a weak cipher, but I'm unable > to glean any specified error that would verify this suspicion. I was hoping > someone would be nice enough to inspect this file and verify if there is any > non-FIPS-iness. I don't want to point fingers at the environment without > proof. > Well that link is not an certificate but a PKCS#7 signed data structure whose content is itself a PKCS#7 enveloped data structure. You mentioned PKCS7_decrypt() so that may be a referenceto the inner content. Analysing that with asn1parse shows that it is using single DES as the content encryption algorithm (56 bits) which is not approved in FIPS mode. So I suspect that is the cause. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
