tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: TCNative with FIPS OpenSSL throws fingerprint error in FIPS mode
Date Thu, 13 Jun 2013 14:17:03 GMT
Hash: SHA256


On 6/12/13 6:54 PM, Steve Nickels wrote:
>>> I'm fairly confident that the OpenSSL library I'm using is
>>> valid and uncorrupted (I've used a couple different copies: an
>>> existing set of binaries being used successfully in another
>>> product internally, and a newly built version which I have
>>> successfully used the openssl utility against, without error).
>> Can you write a simple C program to link against OpenSSL and try
>> to start it in FIPS mode? Does that work without error? Feel free
>> to just steal code from tcnative to put-together a Frankenstein's
>> monster of code just to see if it works.
> I've done so, and verified that my OpenSSL build seems to be
> working correctly, both in FIPS mode and not. My test program
> creates SHA-1 and MD5 hashes of a simple string value. With FIPS
> mode off, both hashes are returned. With FIPS mode on, the SHA-1
> hash is returned, and the MD5 hash generates the expected "disabled
> for fips" error. There was no error at the point of
> FIPS_mode_set(1), which seems to indicate that the self tests
> passed. This matches what I saw when I used the openssl.exe utility
> that was compiled with OpenSSL (version OpenSSL 1.0.1c-fips 10 May
> 2012).
> Using this same OpenSSL build in tcnative, however, results in the
> fingerprint error when Tomcat starts up with FIPS mode enabled.
>>> My assumption is that I'm not building/linking OpenSSL
>>> correctly into tcnative.
>> ...and you are building tcnative by hand because the OpenSSL
>> Tomcat provides is not build with FIPS compatibility, right? You
>> will have to make sure you have a FIPS-compatible OpenSSL (please
>> post the result of "openssl.exe version") and you will definitely
>> have to re-build tcnative against it because otherwise all the
>> FIPS stuff will generate errors before even trying to call 
>> FIPS_mode_set on OpenSSL.
> Correct. I get the expected "FIPS not available" error when I turn
> on FIPS mode using the stock tcnative-1.dll library that comes with
> Tomcat. The FIPS-compatible OpenSSL build I have reports as
> "OpenSSL 1.0.1c-fips 10 May 2012".
>> I notice that Tomcat distributes openssl.exe and not openssl.dll
>> (or similar). Are you building openssl.exe or openssl.dll when
>> you build OpenSSL?
> Building OpenSSL on Windows results in three distributable files:
> libeay32.dll, ssleay32.dll, and openssl.exe. I copy the first two
> into Tomcat\bin, along with tcnative-1.dll, in order to make
> OpenSSL available to tcnative. It also results in libeay32.lib and
> ssleay32.lib, which are used in the tcnative compile process.

What happens is you put openssl.exe in there alongside the .dll files?

With your test program, was anything in the PATH (or current
directory) other than the two .dll files? (I'm just trying to figure
out why Tomcat ships with openssl.exe at all... I thought it was all

I presume you are not building a statically-linked tcnative.dll (which
would include the OpenSSL code), right?

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message