tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: TCNative with FIPS OpenSSL throws fingerprint error in FIPS mode
Date Thu, 13 Jun 2013 18:14:36 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Steve,

On 6/13/13 1:57 PM, Steve Nickels wrote:
> I figured out the problem. The error was due to my system rebasing 
> the libeay32.dll library from its desired base address of
> 0xFB00000. According to OpenSSL documents, this is supposed to
> generate a specific error message of 
> FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELATED, but because I 
> wasn't seeing that, I didn't think that was the problem.

Interesting. Do you think it was being swallowed-up somewhere? Like I
said, tcnative/FIPS hasn't gotten a huge amount of exposure.

Do you think there are ways it could be improved? Better error
checking, etc.? I implemented it as simply as I possibly could.

(I also noticed a small bug when checking the code around
FIPS_mode_set in tcnative: the OpenSSL docs say that if
FIPS_mode_set(x) is successful and x != 0, then the function returns
x. The check in there is against 1 and not x. So that could afford to
be fixed.)

> However, process explorer showed that the base address of 
> libeay32.dll in the tomcat7.exe process was not at its correct
> base address. I recompiled OpenSSL with a new base address,
> verified that the new dll wasn't being rebased, and then turned on
> FIPS mode, and it worked.

Wow, that could certainly confuse things.

Again, I don't know anything about building on win32, but is that the
kind of thing that we could better-document (or document /at all/)
somewhere in the source bundle? Is there a project file that could
contain such a hint that a casual DIY user like you would have consulted?

> With my test application, the original base address was not being 
> changed by the OS, according to process explorer, which is why it 
> worked with the original build.
> 
> Thanks for your help!

No problem. If there were any other gotchas you found when building
tcnative/FIPS/win32 could you let us know? Actually, creating a Wiki
page is easy to do and you could help others who are trying to do the
same thing.

Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJRugwMAAoJEBzwKT+lPKRYLY8QAMFcsCWHn0ZXJsi9pqndPYa+
EJ57iZwR4odAZ9uspZwo5+ttViVsYI5vFcS9jNRbB5y8fu3p/I20jCeO2cqsGEH1
2rvI9Q5ynxl9fD9BH8dAIEMhnyH1IOBhrw/pAfwhl2YH5u3GnIDfyvw8cKTzliok
O+c9dT8wF1+yvDf0A45J+B3RjZCXZFvqyVmFOpOt73Bc+k3IgR82w3yNolRyAmIu
TM2htIhdYibFCMO7FwsrjkczvNdS4YZXdyx5Yk1FB4HQisnOnwQtngQJNYnwR0RO
qFsW3GJdsQZzgOwQLdmfF4BGTOjPSRQ+8B3ANpbu2Np63w3lLqSNYL6YzTkP1zMd
n5g8/tiy+zYiSglQhcwBb3SGsAkxA0eA/zLr/kvnuf1NRucvx1hy0cnPJPjbLXyn
fhE9McgPkhkhNm6Hfei1hKda2HKF22cuamx96aV0BVFtTzhfyVLqz2sXSrGGwQe1
FIsBjdLHYQ3h9f/cEf7NlahcKNJPDGnJfvXkCc+ypNlIthyj5OgrfB20whxomo+i
UnEcxACUntEvB1gIQSZLidgu4DLwrrz2vMIdhT6Q08p+j8QBTWcqumlXQ4kwYJF/
2DAvGUKA3GEMMelZargeOMjobJKQ7/TFDoolpYuMejJsB1WfjVJIgKsTmLiWCuIp
u+SpbpznQVQeIAtr9Q7e
=WVnL
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message