On Mon, Dec 31, 2012, Sial Nije wrote: > Greetings, > > I need help to generate an ECDSA key file that is passphrase protected and > the key file is used in FIPS mode. My application is StrongSwan linked with > FIPS enabled libcrypto.so, version 1.0.1c. > Seems FIPS capable openssl executable uses hard coded md5 hash on the > passphrase. > There is no md5 in FIPS. So the IPSec IKE establishment fails silently. The > log just states it cannot find private key for the subject name. > If I generate the key in non-FIPS mode and run the IPSec app in non-FIPS > mode then IPSec tunnel establishes successfully. >
Ugh, that's a bug. OpenSSL should switch to PKCS#8 format in FIPS mode and just work. It does that in OpenSSL 0.9.8 but the relevant code didn't make it into the FIPS capable 1.0.1 and later. I'll look into fixing it. Workaround for now is to convert to PKCS#8 format manually (as mentioned in other replies). Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
