OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt in FIPS mode

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Feb 19, 2016, Neptune wrote:

> failedcert.crt <http://openssl.6102.n7.nabble.com/file/n63828/failedcert.crt>  
> 
> Hello all,
> I've attached a .crt certificate file that we are experiencing a problem
> with. When trying to process this certificate using the PKCS7_decrypt( )
> function. The error string is:
> 
> OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt:decrypt error
> 
> This only happens in FIPS mode so we suspect a weak cipher, but I'm unable
> to glean any specified error that would verify this suspicion. I was hoping
> someone would be nice enough to inspect this file and verify if there is any
> non-FIPS-iness. I don't want to point fingers at the environment without
> proof.
> 

Well that link is not an certificate but a PKCS#7 signed data structure whose
content is itself a PKCS#7 enveloped data structure.

You mentioned PKCS7_decrypt() so that may be a referenceto the inner content.
Analysing that with asn1parse shows that it is using single DES as the content
encryption algorithm (56 bits) which is not approved in FIPS mode. So I
suspect that is the cause.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux