[openssl-users] OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt in FIPS mode

Dr. Stephen Henson steve at openssl.org
Fri Feb 19 22:41:39 UTC 2016

On Fri, Feb 19, 2016, Neptune wrote:

> failedcert.crt <http://openssl.6102.n7.nabble.com/file/n63828/failedcert.crt>  
> Hello all,
> I've attached a .crt certificate file that we are experiencing a problem
> with. When trying to process this certificate using the PKCS7_decrypt( )
> function. The error string is:
> OPENSSL error:21072077:PKCS7 routines:PKCS7_decrypt:decrypt error
> This only happens in FIPS mode so we suspect a weak cipher, but I'm unable
> to glean any specified error that would verify this suspicion. I was hoping
> someone would be nice enough to inspect this file and verify if there is any
> non-FIPS-iness. I don't want to point fingers at the environment without
> proof.

Well that link is not an certificate but a PKCS#7 signed data structure whose
content is itself a PKCS#7 enveloped data structure.

You mentioned PKCS7_decrypt() so that may be a referenceto the inner content.
Analysing that with asn1parse shows that it is using single DES as the content
encryption algorithm (56 bits) which is not approved in FIPS mode. So I
suspect that is the cause.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

More information about the openssl-users mailing list