Private Key Format Different in FIPS Mode
We are using OpenSSL version 0.9.8l And what we find is that the DSA private key formats are different in FIPS and non-FIPS mode In FIPS mode it starts with -BEGIN PRIVATE KEY- Whereas in non-FIPS mode it starts with -BEGIN DSA PRIVATE KEY- I understand that this is expected since the traditional format relies on MD5 which is prohibited in FIPS mode However for our application to work with the SSH keys we would need it in the traditional format in FIPS mode Is there a way to override this default behavior and still be able to generate the keys in the traditional format. Any pointers would be greatly appreciated. Thanks, Anamitra __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Private Key Format Different in FIPS Mode
Also I found that this works fine with openssl 1.0.1 Where keys are generated in FIPS mode with the following line. Can someone let me know why this change in behavior between 0.9.8l and 1.0.1? -BEGIN DSA PRIVATE KEY- Thanks, Anamitra On 6/12/13 12:01 PM, Anamitra Dutta Majumdar (anmajumd) anmaj...@cisco.com wrote: We are using OpenSSL version 0.9.8l And what we find is that the DSA private key formats are different in FIPS and non-FIPS mode In FIPS mode it starts with -BEGIN PRIVATE KEY- Whereas in non-FIPS mode it starts with -BEGIN DSA PRIVATE KEY- I understand that this is expected since the traditional format relies on MD5 which is prohibited in FIPS mode However for our application to work with the SSH keys we would need it in the traditional format in FIPS mode Is there a way to override this default behavior and still be able to generate the keys in the traditional format. Any pointers would be greatly appreciated. Thanks, Anamitra __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: PKCS12 keystore creation failing in fips mode
Hello Steve , Thanks for your response. Is there a corresponding API where we can impose this descert option? -Anamitra On 5/29/13 6:15 PM, Dr. Stephen Henson st...@openssl.org wrote: On Wed, May 29, 2013, Anamitra Dutta Majumdar (anmajumd) wrote: We are trying to create pkcs12 keystore in FIPS mode using OpenSSL 1.0.1 and it fails with the following error 9uo8bYe2YpDmqEgC[root@vos-i/usr/local/platform/bin/openssl pkcs12 -export -in tomcat.pem -inkey ../keys/tomcat_priv.pem -out tomcat.keystore Enter Export Password: Verifying - Enter Export Password: 4151633544:error:060A60A3:digital envelope routines:FIPS_CIPHERINIT:disabled for fips:fips_enc.c:142: 4151633544:error:06074078:digital envelope routines:EVP_PBE_CipherInit:keygen failure:evp_pbe.c:205: 4151633544:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:83: 4151633544:error:2306C067:PKCS12 routines:PKCS12_item_i2d_encrypt:encrypt error:p12_decr.c:175: 4151633544:error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt error:p12_add.c:202: The same command works in FIPS mode. So I have the following questions 1. Is there a way to work around issue and still be able to create pkcs12 format keystore in FIPS mode. 2. This command worked in earlier version of openssl like 0.9.8l in FIPS mode. What has changed in 1.0.1 That it has stopped working in FIPS mode. Any pointers will be appreciated. That's a bug in 1.0.1 in that it tries to use an unapproved algorithm in FIPS mode. Workaround: use the -descert option. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
PKCS12 keystore creation failing in fips mode
We are trying to create pkcs12 keystore in FIPS mode using OpenSSL 1.0.1 and it fails with the following error 9uo8bYe2YpDmqEgC[root@vos-i/usr/local/platform/bin/openssl pkcs12 -export -in tomcat.pem -inkey ../keys/tomcat_priv.pem -out tomcat.keystore Enter Export Password: Verifying - Enter Export Password: 4151633544:error:060A60A3:digital envelope routines:FIPS_CIPHERINIT:disabled for fips:fips_enc.c:142: 4151633544:error:06074078:digital envelope routines:EVP_PBE_CipherInit:keygen failure:evp_pbe.c:205: 4151633544:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error:p12_decr.c:83: 4151633544:error:2306C067:PKCS12 routines:PKCS12_item_i2d_encrypt:encrypt error:p12_decr.c:175: 4151633544:error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt error:p12_add.c:202: The same command works in FIPS mode. So I have the following questions 1. Is there a way to work around issue and still be able to create pkcs12 format keystore in FIPS mode. 2. This command worked in earlier version of openssl like 0.9.8l in FIPS mode. What has changed in 1.0.1 That it has stopped working in FIPS mode. Any pointers will be appreciated. Thanks, Anamitra __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
openssh_DSA_verify_inFIPS EVP_VerifyFinal BAD SIG code:-1 ERROR
We are getting the following error in the syslogs secure:Nov 9 19:32:04 cls2-pub authpriv 3 sshd[9526]: error: openssh_DSA_verify_inFIPS EVP_VerifyFinal BAD SIG code:-1 when we connect between two servers using ssh key based authentication. This issue happens only in FIPS mode and not in non FIPS mode. What is the root cause for this and what is the workaround. Any pointers would be appreciated. Thanks, Anamitra
Re: sslv3 alert bad certificate:s3_pkt.c:1065:SSL alert number 42
Hi Dave, This is a close box without a server operator. Is there a way to determine why the cert chain was Disliked. Thanks, Anamitra On 10/26/12 3:14 PM, Dave Thompson dthomp...@prinpay.com wrote: From: owner-openssl-us...@openssl.org On Behalf Of Anamitra Dutta Majumdar (anmajumd) Sent: Thursday, 25 October, 2012 02:48 We are getting the following error when running the s_client. We are on openssl 0.9.8l What could be the possible cause of this error snip 4955:error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate: s3_pkt.c:1065:SSL alert number 42 4955:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure: s3_pkt.c:530: The server doesn't like the client certificate (chain) you sent. It didn't use one of the more specific alert codes to say what it disliked. Either ask the server operator(s) what it disliked, or if they have a stated policy about what certs they accept, examine your cert chain and compare to that policy. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
RE: known answer test and alogorithm test for Diffie-Hellman?
Have not seen a response to this. The FIPS_selftest() API does not perform any selt-tests on diffie-Hellman algorithm. Is it because it is a non-approved security function in the FIPS module? Do we need self tests on DH if DH key exchange is used by SSH in the system running in FIPS mode? Thanks Anamitra From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Nikitha Sent: Wednesday, April 07, 2010 10:23 AM To: openssl-users Subject: known answer test and alogorithm test for Diffie-Hellman? Hi All, I'm a novice user to openssl libraries. Could you plz point me to the source/test suite available for known answer test of FIPS 140-2 level 2 complaint Diffie-Hellman module? Thanks, Nikitha
