httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: [users@httpd] SSLFIPS Directive (UNCLASSIFIED)
Date Tue, 16 Nov 2010 22:21:48 GMT

----- "Dwight P CTR DISA PAC Victor" <dwight.victor.ctr@disa.mil> wrote:

> Classification:  UNCLASSIFIED 
> Caveats: NONE
> 
> Related?
> http://rt.openssl.org/Ticket/Display.html?id=1278&user=guest&pass=guest
> 
> ---
> Dwight Victor (Contractor), CISSP, RHCT, SCSECA
> DISA-PAC EMSS Gateway Hawaii
> EMAIL: dwight.victor.ctr@disa.mil
> TEL:   (808) 653-3677 ext 229 
> 
> -----Original Message-----
> From: james@nixsecurity.org [mailto:james@nixsecurity.org] 
> Sent: Thursday, November 11, 2010 9:01 AM
> To: users@httpd.apache.org
> Subject: [users@httpd] SSLFIPS Directive
> 
> Apache 2.2.17
> OpenSSL 0.9.8n FIPS
> PHP 5.3.2
> libssh2 1.2.6
> 
> So, I have a web application where the front-end is Flex/AS3 and the
> back-end is a mix of PHP/C. PHP is compiled with the libssh2 library
> and the pecl extension to enable the ssh2 functionality. I use the
> ssh2 functions within PHP for communication between systems. For
> instance, the interface allows you to add another product of ours for
> communication with our primary product. Communication works via SSH,
> I'm not going to get into the details of that. Anyway, what happens
> when I introduce the SSLFIPS directive into my httpd.conf, apache
> child processes are crashing. This happens even if the directive's
> value is set to off. However, if I don't introduce the directive,
> everything works as expected.
> 
> We are required by government customers to offer FIPS.
> 
> [Thu Nov 11 13:50:43 2010] [notice] Operating in SSL FIPS mode
> [Thu Nov 11 13:50:43 2010] [error] Init: Skipping generating temporary
> 512 bit RSA private key in FIPS mode
> [Thu Nov 11 13:50:43 2010] [error] Init: Skipping generating temporary
> 512 bit DH parameters in FIPS mode
> [Thu Nov 11 13:50:43 2010] [notice] Apache/2.2.17 (Unix)
> mod_ssl/2.2.17 OpenSSL/0.9.8o-fips configured -- resuming normal
> operations
> digest.c(151): OpenSSL internal error, assertion failed: Digest update
> previous FIPS forbidden algorithm error ignored
> digest.c(151): OpenSSL internal error, assertion failed: Digest update
> previous FIPS forbidden algorithm error ignored
> [Thu Nov 11 13:50:58 2010] [notice] child pid 24913 exit signal
> Aborted (6)
> [Thu Nov 11 13:50:58 2010] [notice] child pid 24915 exit signal
> Aborted (6)

Can you get us a coredump/back-trace of the children which are dying?
How, exactly, have you compiled/linked the PECL extensions vs mod_ssl?

> Any thoughts?

If all else fails: Run PHP in the backend, and the SSL termination
in a proxy.


i

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message