Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips
332 views
Skip to first unread message
Jerry Blasdel
Dec 17, 2012, 12:32:04 PM12/17/12
to
All,
We are trying to get a FIPS enabled Apache 2.4.3 built with OpenSSL 1.01.
Everything appeared to build correctly but when we try to start Apache with SSLFIPS on directive we get the following error:
[Mon Dec 17 17:22:15.355149 2012] [mpm_worker:notice] [pid 10612:tid 1] AH00292: Apache/2.4.3 (Unix) OpenSSL/1.0.1c-fips configured -- resuming normal operations
[Mon Dec 17 17:22:15.355460 2012] [core:notice] [pid 10612:tid 1] AH00094: Command line: '/WWW/apache2/apache/bin/httpd -d /WWW/apache2/apache -f /WWW/apache2/apache/conf/httpd.conf'
[Mon Dec 17 17:23:09.532595 2012] [mpm_worker:notice] [pid 10612:tid 1] AH00295: caught SIGTERM, shutting down
[Mon Dec 17 17:23:13.133877 2012] [ssl:emerg] [pid 10703:tid 1] AH01885: FIPS mode failed
[Mon Dec 17 17:23:13.134056 2012] [ssl:emerg] [pid 10703:tid 1] SSL Library Error: error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match
[Mon Dec 17 17:23:13.134150 2012] [ssl:emerg] [pid 10703:tid 1] AH02312: Fatal error initialising mod_ssl, exiting.
/WWW/apache2/apache/logs
What could be the cause of this error?
Thanks in advance.
This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery.
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
We are trying to get a FIPS enabled Apache 2.4.3 built with OpenSSL 1.01.
Everything appeared to build correctly but when we try to start Apache with SSLFIPS on directive we get the following error:
[Mon Dec 17 17:22:15.355149 2012] [mpm_worker:notice] [pid 10612:tid 1] AH00292: Apache/2.4.3 (Unix) OpenSSL/1.0.1c-fips configured -- resuming normal operations
[Mon Dec 17 17:22:15.355460 2012] [core:notice] [pid 10612:tid 1] AH00094: Command line: '/WWW/apache2/apache/bin/httpd -d /WWW/apache2/apache -f /WWW/apache2/apache/conf/httpd.conf'
[Mon Dec 17 17:23:09.532595 2012] [mpm_worker:notice] [pid 10612:tid 1] AH00295: caught SIGTERM, shutting down
[Mon Dec 17 17:23:13.133877 2012] [ssl:emerg] [pid 10703:tid 1] AH01885: FIPS mode failed
[Mon Dec 17 17:23:13.134056 2012] [ssl:emerg] [pid 10703:tid 1] SSL Library Error: error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match
[Mon Dec 17 17:23:13.134150 2012] [ssl:emerg] [pid 10703:tid 1] AH02312: Fatal error initialising mod_ssl, exiting.
/WWW/apache2/apache/logs
What could be the cause of this error?
Thanks in advance.
This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery.
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
Steve Marquess
Dec 17, 2012, 3:57:57 PM12/17/12
to
On 12/17/2012 12:32 PM, Jerry Blasdel wrote:
> All,
>
> We are trying to get a FIPS enabled Apache 2.4.3 built with OpenSSL 1.01.
>
> Everything appeared to build correctly but when we try to start Apache
> with SSLFIPS on directive we get the following error:
>
> ...
> All,
>
> We are trying to get a FIPS enabled Apache 2.4.3 built with OpenSSL 1.01.
>
> Everything appeared to build correctly but when we try to start Apache
> with SSLFIPS on directive we get the following error:
>
> Library Error: error:2D06B06F:FIPS
> routines:FIPS_check_incore_fingerprint:fingerprint does not match
> [Mon Dec 17 17:23:13.134150 2012] [ssl:emerg] [pid 10703:tid 1] AH02312:
> Fatal error initialising mod_ssl, exiting.
> /WWW/apache2/apache/logs
>
> What could be the cause of this error?
There are a multitude of ways the special FIPS module link could fail.
> routines:FIPS_check_incore_fingerprint:fingerprint does not match
> [Mon Dec 17 17:23:13.134150 2012] [ssl:emerg] [pid 10703:tid 1] AH02312:
> Fatal error initialising mod_ssl, exiting.
> /WWW/apache2/apache/logs
>
> What could be the cause of this error?
But, I suspect your problem probably has nothing to do with Apache
httpd. Absent some very unusual circumstances any system that is running
httpd should be using shared OpenSSL libraries, which means it is your
"FIPS capable" OpenSSL that was not built correctly. Have you tried
following the examples of building "FIPS capable" OpenSSL libraries in
the User Guide?
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marq...@opensslfoundation.com
marq...@openssl.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Jerry Blasdel
Dec 17, 2012, 4:15:56 PM12/17/12
to
Steve,
Thank you for your quick reply. We are trying to follow the User's Guide when building.
We did the following:
For OpenSSLFips (openssl-fips-1.2)
./config
make
make install
For OpenSSL (openssl-1.0.1c)
./configure fips --prefix=/WWW/openssl --withfipslibdir=/usr/local/ssl/fips-2.0/lib
make
make test
make install
Is there anything that make test or other commands we could run on the built openSSL to see if it was built incorrectly?
Thanks
This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery.
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
Thank you for your quick reply. We are trying to follow the User's Guide when building.
We did the following:
For OpenSSLFips (openssl-fips-1.2)
./config
make
make install
For OpenSSL (openssl-1.0.1c)
./configure fips --prefix=/WWW/openssl --withfipslibdir=/usr/local/ssl/fips-2.0/lib
make
make test
make install
Is there anything that make test or other commands we could run on the built openSSL to see if it was built incorrectly?
Thanks
This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery.
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
Steve Marquess
Dec 17, 2012, 4:18:33 PM12/17/12
to
On 12/17/2012 04:15 PM, Jerry Blasdel wrote:
> Steve,
>
> Thank you for your quick reply. We are trying to follow the User's
> Guide when building.
>
> We did the following:
>
> For OpenSSLFips (openssl-fips-1.2)
>
> ./config
>
> make
> make install
>
> For OpenSSL (openssl-1.0.1c)
Ah. The 1.2 module is not compatible with OpenSSL 1.0.1c. You need to
> Steve,
>
> Thank you for your quick reply. We are trying to follow the User's
> Guide when building.
>
> We did the following:
>
> For OpenSSLFips (openssl-fips-1.2)
>
> ./config
>
> make
> make install
>
> For OpenSSL (openssl-1.0.1c)
use the OpenSSL FIPS Object Module 2.0 as documented in the User Guide:
http://www.openssl.org/docs/fips/UserGuide-2.0.pdf
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marq...@opensslfoundation.com
marq...@openssl.com
Cipher
Mar 26, 2013, 7:17:56 AM3/26/13
to
Jerry, All,
I have built FIPS capable openssl 1.0.1c and formed shared
libs(libcrypto.s0.1.0.0 and libssl.so.1.0.0) . Now i am trying to build
apache to make it FIPS capable. Do you mind telling me the steps involved in
building Apache with newly built openssl? (I am cross compiling, so have not
installed openssl)
I tried downloading and building *httpd-2.2.24*/ *apache_1.3.41* and
*mod_ssl 1.3.39* , But i see compatibility issues.
Can you point me which mod_ssl version is compatible to work with opensssl
1.0.1c/apache(latest).
--
View this message in context: http://openssl.6102.n7.nabble.com/FIPS-enable-Apache-2-4-3-with-OpenSSL-1-0-1c-fips-tp42788p44538.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
I have built FIPS capable openssl 1.0.1c and formed shared
libs(libcrypto.s0.1.0.0 and libssl.so.1.0.0) . Now i am trying to build
apache to make it FIPS capable. Do you mind telling me the steps involved in
building Apache with newly built openssl? (I am cross compiling, so have not
installed openssl)
I tried downloading and building *httpd-2.2.24*/ *apache_1.3.41* and
*mod_ssl 1.3.39* , But i see compatibility issues.
Can you point me which mod_ssl version is compatible to work with opensssl
1.0.1c/apache(latest).
--
View this message in context: http://openssl.6102.n7.nabble.com/FIPS-enable-Apache-2-4-3-with-OpenSSL-1-0-1c-fips-tp42788p44538.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
0 new messages