tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: TCNative with FIPS OpenSSL throws fingerprint error in FIPS mode
Date Wed, 12 Jun 2013 14:36:16 GMT
Hash: SHA256


On 6/11/13 6:51 PM, Steve Nickels wrote:
> I've been trying to compile tcnative on Windows with a 
> FIPS-compatible build of OpenSSL. I've been successful building
> and running tcnative this way, at least until I turn on FIPS mode
> on the AprLifecycleListener config in Tomcat.

Note that tcnative/FIPS mode hasn't gotten a huge amount of testing.
I'm glad we're getting some users of it.

> When FIPSMode is set to "off", Tomcat works fine, and SSL services 
> operate correctly. When it is set to "on", however, Tomcat refuses
> to start, and I get the following error in the catalina log file:
> SEVERE: Failed to initialize the SSLEngine. java.lang.Exception: 
> error:2D06B06F:FIPS 
> routines:FIPS_check_incore_fingerprint:fingerprint does not match

That definitely seems like OpenSSL is refusing to start because it's
failing its self-checks.

> I'm fairly confident that the OpenSSL library I'm using is valid
> and uncorrupted (I've used a couple different copies: an existing
> set of binaries being used successfully in another product
> internally, and a newly built version which I have successfully
> used the openssl utility against, without error).

Can you write a simple C program to link against OpenSSL and try to
start it in FIPS mode? Does that work without error? Feel free to just
steal code from tcnative to put-together a Frankenstein's monster of
code just to see if it works.

> My assumption is that I'm not building/linking OpenSSL correctly
> into tcnative.

...and you are building tcnative by hand because the OpenSSL Tomcat
provides is not build with FIPS compatibility, right? You will have to
make sure you have a FIPS-compatible OpenSSL (please post the result
of "openssl.exe version") and you will definitely have to re-build
tcnative against it because otherwise all the FIPS stuff will generate
errors before even trying to call FIPS_mode_set on OpenSSL.

> So far I've tried building both the tcnative and libtcnative
> projects via the supplied Visual Studio workspace. In the former
> case, the APR library appears to statically linked into
> tcnative-1.dll, so I don't have to provide libapr-1.dll, however I
> do still need to provide libeay.dll and ssleay.dll. In the latter
> case, I provide libtcnative-1.dll, libapr-1.dll, and the two
> OpenSSL libraries. In both cases, it works when FIPS mode is off,
> but not when it is on.
> Is there anything special I need to do to correctly build tcnative
> to support a FIPS-compatible OpenSSL build with FIPSMode turned on
> in Tomcat?
> All this is using Tomcat 7.0.32, tcnative 1.1.27, APR 1.4.6, and 
> OpenSSL both 1.0.1c and 1.0.1e, on 32-bit Windows Server 2008.

Unfortunately, I have no experience building projects on Microsoft
Windows... I was able to get the library built and successfully
enabled FIPS mode on Linux (where I did my minimal testing).

What does "openssl.exe version" currently print? I presume it
advertises FIPS-mode? Given that you are getting an OpenSSL error
message, it appears that you have built tcnative properly (that is,
OPENSSL_FIPS has been detected and tcnative is actually attempting to
enter FIPS mode). So I think something must be wrong with either the
OpenSSL library itself or the linkage between the two.

I notice that Tomcat distributes openssl.exe and not openssl.dll (or
similar). Are you building openssl.exe or openssl.dll when you build

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message