Re: Need some help debugging SSL error thrown from STunnel using OpenSSL-FIPS
On Wed, Jun 07, 2006, David Gillingham wrote: Hello all, I've been tasked to internally investigate a system that utilizes STunnel and OpenSSL to create a secure wrapper for a propietary protocol. Additionally, this solution must eventually be FIPS 140-2 compliant. 608008D: error:0608008D:digital envelope routines:EVP_DigestInit:disabled for fips That's the problem. I'd guess that this is due to a certificate using an algorithm that isn't allowed in FIPS mode: probably MD5. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Need some help debugging SSL error thrown from STunnel using OpenSSL-FIPS
I was able to convert the key as you instructed, and I overwrote the old RSA private key from my server.pem file with the new PKCS8 one. I am now a getting a different error message. From these new messages, I'm guessing OpenSSL is expecting a file in PKCS12 format, but that my file does not match this format. Is my understanding correct? Error log follows. BEGIN STUNNEL LOG 2006.06.08 17:49:38 LOG7[1120:616]: Certificate: server.pem 2006.06.08 17:49:38 LOG7[1120:616]: Key file: server.pem 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 906700D : error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 2306A075 : error:2306A075:PKCS12 routines:PKCS12_DECRYPT_D2I:pkcs12 pbe crypt error 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 23077073 : error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error 2006.06.08 17:49:42 LOG3[1120:616]: SSL_CTX_use_RSAPrivateKey_file: 6074079: error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm 2006.06.08 17:49:42 LOG3[1120:616]: Server is down END STUNNEL LOG __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Need some help debugging SSL error thrown from STunnel using OpenSSL-FIPS
On Thu, Jun 08, 2006, David Gillingham wrote: I was able to convert the key as you instructed, and I overwrote the old RSA private key from my server.pem file with the new PKCS8 one. I am now a getting a different error message. From these new messages, I'm guessing OpenSSL is expecting a file in PKCS12 format, but that my file does not match this format. Is my understanding correct? Error log follows. BEGIN STUNNEL LOG 2006.06.08 17:49:38 LOG7[1120:616]: Certificate: server.pem 2006.06.08 17:49:38 LOG7[1120:616]: Key file: server.pem 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 906700D : error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 2306A075 : error:2306A075:PKCS12 routines:PKCS12_DECRYPT_D2I:pkcs12 pbe crypt error 2006.06.08 17:49:42 LOG3[1120:616]: error stack: 23077073 : error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error 2006.06.08 17:49:42 LOG3[1120:616]: SSL_CTX_use_RSAPrivateKey_file: 6074079: error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm 2006.06.08 17:49:42 LOG3[1120:616]: Server is down END STUNNEL LOG That error means that the PBE table has not been initialized in the application. A call to OpenSSL_add_all_algorithms() would have automatically done that so I'd guess that the table is being initialized in a customized way, possible to reduce the number of algorithms added. A call to PKCS5_PBE_add() is needed in any case in the application. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
Re: Need some help debugging SSL error thrown from STunnel using OpenSSL-FIPS
Dr. Henson-- Adding in a call to OpenSSL_add_all_algorithms() fixed the error. Thanks for the assistance. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]