tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: TCNative with FIPS OpenSSL throws fingerprint error in FIPS mode
Date Wed, 12 Jun 2013 14:36:16 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Steve,

On 6/11/13 6:51 PM, Steve Nickels wrote:
> I've been trying to compile tcnative on Windows with a 
> FIPS-compatible build of OpenSSL. I've been successful building
> and running tcnative this way, at least until I turn on FIPS mode
> on the AprLifecycleListener config in Tomcat.

Note that tcnative/FIPS mode hasn't gotten a huge amount of testing.
I'm glad we're getting some users of it.

> When FIPSMode is set to "off", Tomcat works fine, and SSL services 
> operate correctly. When it is set to "on", however, Tomcat refuses
> to start, and I get the following error in the catalina log file:
> 
> SEVERE: Failed to initialize the SSLEngine. java.lang.Exception: 
> error:2D06B06F:FIPS 
> routines:FIPS_check_incore_fingerprint:fingerprint does not match

That definitely seems like OpenSSL is refusing to start because it's
failing its self-checks.

> I'm fairly confident that the OpenSSL library I'm using is valid
> and uncorrupted (I've used a couple different copies: an existing
> set of binaries being used successfully in another product
> internally, and a newly built version which I have successfully
> used the openssl utility against, without error).

Can you write a simple C program to link against OpenSSL and try to
start it in FIPS mode? Does that work without error? Feel free to just
steal code from tcnative to put-together a Frankenstein's monster of
code just to see if it works.

> My assumption is that I'm not building/linking OpenSSL correctly
> into tcnative.

...and you are building tcnative by hand because the OpenSSL Tomcat
provides is not build with FIPS compatibility, right? You will have to
make sure you have a FIPS-compatible OpenSSL (please post the result
of "openssl.exe version") and you will definitely have to re-build
tcnative against it because otherwise all the FIPS stuff will generate
errors before even trying to call FIPS_mode_set on OpenSSL.

> So far I've tried building both the tcnative and libtcnative
> projects via the supplied Visual Studio workspace. In the former
> case, the APR library appears to statically linked into
> tcnative-1.dll, so I don't have to provide libapr-1.dll, however I
> do still need to provide libeay.dll and ssleay.dll. In the latter
> case, I provide libtcnative-1.dll, libapr-1.dll, and the two
> OpenSSL libraries. In both cases, it works when FIPS mode is off,
> but not when it is on.
> 
> Is there anything special I need to do to correctly build tcnative
> to support a FIPS-compatible OpenSSL build with FIPSMode turned on
> in Tomcat?
> 
> All this is using Tomcat 7.0.32, tcnative 1.1.27, APR 1.4.6, and 
> OpenSSL both 1.0.1c and 1.0.1e, on 32-bit Windows Server 2008.

Unfortunately, I have no experience building projects on Microsoft
Windows... I was able to get the library built and successfully
enabled FIPS mode on Linux (where I did my minimal testing).

What does "openssl.exe version" currently print? I presume it
advertises FIPS-mode? Given that you are getting an OpenSSL error
message, it appears that you have built tcnative properly (that is,
OPENSSL_FIPS has been detected and tcnative is actually attempting to
enter FIPS mode). So I think something must be wrong with either the
OpenSSL library itself or the linkage between the two.

I notice that Tomcat distributes openssl.exe and not openssl.dll (or
similar). Are you building openssl.exe or openssl.dll when you build
OpenSSL?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRuIdgAAoJEBzwKT+lPKRY+0MP/2ps/cZFddJPimCROpbYddsD
YipUIsCyVMAQzD0LTYqSK+bpNq5sPu/hWLCrSZ77TO5yV9TveU/mK5bBPUkVUurk
jZd8eitpup2c5wogULKm+OWyG24V4aGVt9YoQ3OPspNTmKoAsH7e71DbAzkUOC5r
Mft4z3KTrWIFJeeog2HMc7CegesvpTMnZ9fUu92Y7ZUxmYAWSiedhEmYvXYUZXGr
BYeAmb8G7Z+bFWNZ9Rd1yQ/N/NeVqxAuIPzNq89LzBGiE9be+AbMOIg6KitvuIUP
aEHrH/KcKOxjd8Ey/j70+QJMaXdBfazSgjj68gQYtKABN/cv3gac8ckRgVMxgrLQ
L2Y5LuHfkpLtAB2mcJ5yyQxcVXeBeqfYFXRrAnDKmlRL4fUYif6OGa8OC4Q2dKn7
m+wjjCsK6MyyQzJhBHUzMph1cVORhuLcs6sidqQU8Un5rkTJEgm4xrAA2KS/vhEk
TG/exddFlCT0iYbuGhhm0McA+AxFybz8qP5ibz7iayVmnCmBzMGuOTsMkGjugkBh
UaKYtnN3v98ovyCQVfw6lCAL2XV85NjsemIo3B1XYjJ7DZPO9GrTwKqbO1oDBbgl
RaG/kFupohJPO79yg+mzxQrWt2kFPdGAA1DaceRKhHgSxzJC8cpoovnV3Wi2Bwnr
8lplxWIr7mZgrsSXZo9h
=pJzS
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message