httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: [users@httpd] Apache 2.2.16
Date Fri, 06 Aug 2010 15:17:38 GMT
On Fri, Aug 6, 2010 at 10:57 AM,  <james@nixsecurity.org> wrote:
>
> Hello,
>
> I've recently upgraded to 2.2.16 and am encountering some issues. I've noticed the addition
of SSLFIPS, however, I did not see any mention of this in the release notes. I did, however,
see mention of it in the release notes for 2.3.6, interesting. I've compiled against OpenSSL
0.9.8o-fips (FIPS 1.2 module from openssl.org).
>
> I have a web application that uses OpenLDAP and SSH to add/check resources, such as users.
Going through HTTPS and testing the LDAP server configuration (manually entered settings)
to verify that I can communicate with the server properly, the Apache child process segfaults.
The OpenLDAP version is 2.4.23.
>
> [Fri Aug 06 09:17:54 2010] [notice] child pid 15419 exit signal Segmentation fault (11)
>
> Has anyone encountered this issue before?
>
> My other issue is when adding an user over HTTPS and having PHP exec() the system's ssh
command to connect to the remote machine and perform a few minor operations. The error message
I am getting is:
>
> digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS
forbidden algorithm error ignored
> [Fri Aug 06 09:32:27 2010] [notice] child pid 29661 exit signal Aborted (6)
>
> After researching that error message a bit, it appears to be caused by an MD5 checksum
and MD5 is one of the forbidden algorithms in FIPS.
>
> The above mentioned functionality worked flawlessly in 2.2.15 and below.

Did you use the same OpenSSL build with 2.2.15 and below?

My suggestion:

Find out what symptoms are specific to the use of FIPS-enabled OpenSSL
Get backtraces for any crashes (SIGSEGV, SIGABRT) you're seeing
Open bugs with the appropriate component(s) -- httpd, PHP, apr,
OpenLDAP, etc. -- depending on what code crashes or is implicated in
misusing some other component.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message