On Fri, Aug 10, 2007, Elia, Leonard F. wrote: > I have a question about OpenSSL FIPS mode. > > I created openssl using the FIPS module, openssl 0.9.7m, and mingw on > windows. It works cross platform with openssl FIPS created on Linux; my > Solaris 10 version has been shelved for now. > > I can encrypt and decrypt out of FIPS mode. > I cannot decrypt a file encrypted in FIPS mode when I am not in FIPS mode; > I cannot decrypt a file not encrypted in FIPS mode when I am in FIPS mode. > likewise, vanilla openssl does not decrypt a file created with openssl > FIPS in FIPS mode. > > I thought FIPS mode just disabled ciphers. Is this the expected and > normal behavior? I have verified this on Linux and on Windows, and the > same holds for cross-platform encryption/decryption. >
Depends on the command used to encrypt/decrypt. If it is the default password derivation in the 'enc' command then note that this uses MD5 for key derivation. For compatibility OpenSSL uses MD5 in non-FIPS mode and SHA1 in FIPS mode for key derivation. Since you cannot use MD5 in FIPS mode you cannot derive the appropriate keys. You *can* however change the digest used for derivation using the: -md sha1 command line switch which will then use SHA1 in FIPS and non-FIPS mode. The two should then be compatible. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
