httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rainer Jung <rainer.j...@kippdata.de>
Subject Re: [users@httpd] FIPS disabled by httpd 2.4.3
Date Wed, 22 Aug 2012 22:15:24 GMT
On 22.08.2012 20:47, Ruiyuan Jiang wrote:
> Hi,
>
> My OpenSSL v1.0.1c was compiled as FIPS enabled.
>
> # /usr/local/ssl/bin/openssl
> OpenSSL> version
> OpenSSL 1.0.1c-fips 10 May 2012
> OpenSSL>
>
> I did compilation httpd v2.4.2 and v2.4.3 to use the above version of openssl. After
I started httpd v2.4.3, I noticed in the error_log that FIPS is being disabled. Why or is
there something that I did wrong for the mod_ssl option in the "configure" period? Thanks.
>
> # cat  error_log
> [Wed Aug 22 14:37:24.561183 2012] [ssl:notice] [pid 23557:tid 140125173548800] AH01886:
SSL FIPS mode disabled
> [Wed Aug 22 14:37:28.603319 2012] [:notice] [pid 23557:tid 140125173548800] ModSecurity
for Apache/2.6.7 (http://www.modsecurity.org/) configured.
> [Wed Aug 22 14:37:28.603331 2012] [:notice] [pid 23557:tid 140125173548800] ModSecurity:
APR compiled version="1.4.6"; loaded version="1.4.6"
> [Wed Aug 22 14:37:28.603336 2012] [:notice] [pid 23557:tid 140125173548800] ModSecurity:
PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05"
> [Wed Aug 22 14:37:28.603340 2012] [:notice] [pid 23557:tid 140125173548800] ModSecurity:
LIBXML compiled version="2.7.6"
> [Wed Aug 22 14:37:28.603343 2012] [:notice] [pid 23557:tid 140125173548800] Original
server signature: Apache/2.4.3 (Unix) OpenSSL/1.0.1c-fips
> [Wed Aug 22 14:37:28.686133 2012] [ssl:notice] [pid 23568:tid 140125173548800] AH01886:
SSL FIPS mode disabled
> [Wed Aug 22 14:37:28.724620 2012] [lbmethod_heartbeat:notice] [pid 23568:tid 140125173548800]
AH02282: No slotmem from mod_heartmonitor
> [Wed Aug 22 14:37:29.011086 2012] [mpm_worker:notice] [pid 23568:tid 140125173548800]
AH00292: Apache/2.4.3 (Unix) OpenSSL/1.0.1c-fips rproxynj.fifthandpacific.com configured --
resuming normal operations
> [Wed Aug 22 14:37:29.011208 2012] [core:notice] [pid 23568:tid 140125173548800] AH00094:
Command line: '/opt/apache2.4.3/bin/httpd'

http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslfips

No difference between 2.4.2 and 2.4.3 though.

In order for the message to be written, your build needs support for the 
directive. This is included in 2.4.2 and 2.4.3 by default, but could be 
disabled if during the build HAVE_FIPS is not defined. This define in 
turn is set if the OpenSSl detected during configure is of version >= 
0.9.8a and has FIPS support built in.

I would first check for differences between your builds of 2.4.2 and 
2.4.3 by adding SSLFips Off to the config. If FIPS support is not 
compiled into Apache, then it will fail to start and complain about an 
unknown directive SSLFips.

If adding the directive works for both, try setting it to On in both 
cases and check the startup messages for FIPS mode messages.

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message