Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 92CBB200C47 for ; Thu, 30 Mar 2017 20:27:12 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 91638160B8B; Thu, 30 Mar 2017 18:27:12 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id D98F2160B7E for ; Thu, 30 Mar 2017 20:27:11 +0200 (CEST) Received: (qmail 93308 invoked by uid 500); 30 Mar 2017 18:27:11 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: "Apache HTTPD Bugs Notification List" List-Id: Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 93299 invoked by uid 99); 30 Mar 2017 18:27:11 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd3-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Mar 2017 18:27:11 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org) with ESMTP id 7D703188A0F for ; Thu, 30 Mar 2017 18:27:10 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.002 X-Spam-Level: X-Spam-Status: No, score=-0.002 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new, port 10024) with ESMTP id s2JT1ZNb-dzW for ; Thu, 30 Mar 2017 18:27:09 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 2A2615F5FD for ; Thu, 30 Mar 2017 18:27:09 +0000 (UTC) Received: from asf-bz1-us-mid.priv.apache.org (nat1-us-mid.apache.org [23.253.172.122]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTPS id 828D9E0294 for ; Thu, 30 Mar 2017 18:27:08 +0000 (UTC) Received: by asf-bz1-us-mid.priv.apache.org (ASF Mail Server at asf-bz1-us-mid.priv.apache.org, from userid 33) id 7B8846042D; Thu, 30 Mar 2017 18:27:07 +0000 (UTC) From: bugzilla@apache.org To: bugs@httpd.apache.org Subject: [Bug 60943] New: mod_ssl enables all of OpenSSL's built-in engines, even when in FIPS mode. Date: Thu, 30 Mar 2017 18:27:07 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Apache httpd-2 X-Bugzilla-Component: mod_ssl X-Bugzilla-Version: 2.4.25 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: stephen_wall@redcom.com X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: bugs@httpd.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bz.apache.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 archived-at: Thu, 30 Mar 2017 18:27:12 -0000 https://bz.apache.org/bugzilla/show_bug.cgi?id=3D60943 Bug ID: 60943 Summary: mod_ssl enables all of OpenSSL's built-in engines, even when in FIPS mode. Product: Apache httpd-2 Version: 2.4.25 Hardware: PC OS: FreeBSD Status: NEW Severity: normal Priority: P2 Component: mod_ssl Assignee: bugs@httpd.apache.org Reporter: stephen_wall@redcom.com Target Milestone: --- FreeBSD (and OpenBSD) provide(s) a crypto accelerator device, /dev/crypto, = for which OpenSSL builds a built-in engine. Apache's mod_ssl calls ENGINE_load_builtin_engines() as part of its startup, resulting in that engine being active. For RSA operations, that engine calls some OpenSSL internal RSA functions. Those functions are not the FIPS certified ones, resulting in a failure if FIPS has been enabled. This means Apache will reject all connections until it is reconfigured, either without FIPS enabled, or with an EC certificate. While I believe that the OpenSSL cryptodev engine should not be calling tho= se functions, I don't think mod_ssl should be arbitrarily enabling all the built-in engines, even when FIPS mode has been turned on, since it has no knowledge of whether those engines are FIPS certified. Either don't call ENGINE_load_builtin_engines() when in FIPS mode, or add a configuration opt= ion that allows users to choose for themselves whether or not ENGINE_load_builtin_engines() is called. --=20 You are receiving this mail because: You are the assignee for the bug.= --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org