Return-Path: 
 <users-return-96383-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 40428 invoked from network); 6 Aug 2010 15:18:10 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 6 Aug 2010 15:18:10 -0000
Received: (qmail 18794 invoked by uid 500); 6 Aug 2010 15:18:07 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 18740 invoked by uid 500); 6 Aug 2010 15:18:06 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 18732 invoked by uid 99); 6 Aug 2010 15:18:06 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Aug 2010 15:18:06 +0000
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of trawick@gmail.com designates
 74.125.83.45 as permitted sender)
Received: from [74.125.83.45] (HELO mail-gw0-f45.google.com) (74.125.83.45)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 06 Aug 2010 15:18:00 +0000
Received: by gwb11 with SMTP id 11so3235031gwb.18
        for <users@httpd.apache.org>; Fri, 06 Aug 2010 08:17:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:received:in-reply-to
         :references:date:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        bh=xa/X4I2TpIjlFTyE36ecrtMg5F3zMSQeWfgLGn0uFdY=;
        b=afzsSF25SKBDS+rJ3j9IlGsmEiWVcH/kn4l101PYbsDsVurC7zzXxaXFMwxDQ3udAE
         QaykLvIUu1QWX+ZOcb9qj4HtJGAVqOPiD2Rp33veTldcUAKPegke+tstT1PP5969pg7B
         fRfE7bDw9lYVB2kTDw3vDb6FHq7OlBZ4Sl/qg=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        b=QXnBd1Avi73cDKQz3/0LN7ku8EU71i/5Py2UjxWap5ZlTntS3VOI6pMgTtR9greGMY
         QDDGRrbi5o+lDe1YHNvoKIsrJTMrmYEobGAC0tmc2EeBU/4tTEUw3y7wOMJmwj1oCL5g
         yWIqiZYAOtvs1JmJPD6Zbdh1D+mGJljaPjf4w=
MIME-Version: 1.0
Received: by 10.151.63.26 with SMTP id q26mr14492264ybk.193.1281107858883;
	Fri, 06 Aug 2010 08:17:38 -0700 (PDT)
Received: by 10.231.139.42 with HTTP; Fri, 6 Aug 2010 08:17:38 -0700 (PDT)
In-Reply-To: <1a658ba.4c7e00fc38006e7e298da4cb7136e1e5@webmail.lomag.net>
References: <1a658ba.4c7e00fc38006e7e298da4cb7136e1e5@webmail.lomag.net>
Date: Fri, 6 Aug 2010 11:17:38 -0400
Message-ID: <AANLkTim=oqQtebO76iDZauCRCiH0WfdgZ3-XpJ1itOHo@mail.gmail.com>
From: Jeff Trawick <trawick@gmail.com>
To: users@httpd.apache.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Virus-Checked: Checked by ClamAV on apache.org
Subject: Re: [users@httpd] Apache 2.2.16

On Fri, Aug 6, 2010 at 10:57 AM,  <james@nixsecurity.org> wrote:
>
> Hello,
>
> I've recently upgraded to 2.2.16 and am encountering some issues. I've no=
ticed the addition of SSLFIPS, however, I did not see any mention of this i=
n the release notes. I did, however, see mention of it in the release notes=
 for 2.3.6, interesting. I've compiled against OpenSSL 0.9.8o-fips (FIPS 1.=
2 module from openssl.org).
>
> I have a web application that uses OpenLDAP and SSH to add/check resource=
s, such as users. Going through HTTPS and testing the LDAP server configura=
tion (manually entered settings) to verify that I can communicate with the =
server properly, the Apache child process segfaults. The OpenLDAP version i=
s 2.4.23.
>
> [Fri Aug 06 09:17:54 2010] [notice] child pid 15419 exit signal Segmentat=
ion fault (11)
>
> Has anyone encountered this issue before?
>
> My other issue is when adding an user over HTTPS and having PHP exec() th=
e system's ssh command to connect to the remote machine and perform a few m=
inor operations. The error message I am getting is:
>
> digest.c(151): OpenSSL internal error, assertion failed: Digest update pr=
evious FIPS forbidden algorithm error ignored
> [Fri Aug 06 09:32:27 2010] [notice] child pid 29661 exit signal Aborted (=
6)
>
> After researching that error message a bit, it appears to be caused by an=
 MD5 checksum and MD5 is one of the forbidden algorithms in FIPS.
>
> The above mentioned functionality worked flawlessly in 2.2.15 and below.

Did you use the same OpenSSL build with 2.2.15 and below?

My suggestion:

Find out what symptoms are specific to the use of FIPS-enabled OpenSSL
Get backtraces for any crashes (SIGSEGV, SIGABRT) you're seeing
Open bugs with the appropriate component(s) -- httpd, PHP, apr,
OpenLDAP, etc. -- depending on what code crashes or is implicated in
misusing some other component.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org