tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Nickels <snick...@ipswitch.com>
Subject TCNative with FIPS OpenSSL throws fingerprint error in FIPS mode
Date Tue, 11 Jun 2013 22:51:43 GMT
Hi all,

I've been trying to compile tcnative on Windows with a FIPS-compatible build of OpenSSL. I've
been successful building and running tcnative this way, at least until I turn on FIPS mode
on the AprLifecycleListener config in Tomcat.

When FIPSMode is set to "off", Tomcat works fine, and SSL services operate correctly. When
it is set to "on", however, Tomcat refuses to start, and I get the following error in the
catalina log file:

SEVERE: Failed to initialize the SSLEngine.
java.lang.Exception: error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint
does not match

I'm fairly confident that the OpenSSL library I'm using is valid and uncorrupted (I've used
a couple different copies: an existing set of binaries being used successfully in another
product internally, and a newly built version which I have successfully used the openssl utility
against, without error). My assumption is that I'm not building/linking OpenSSL correctly
into tcnative.

So far I've tried building both the tcnative and libtcnative projects via the supplied Visual
Studio workspace. In the former case, the APR library appears to statically linked into tcnative-1.dll,
so I don't have to provide libapr-1.dll, however I do still need to provide libeay.dll and
ssleay.dll. In the latter case, I provide libtcnative-1.dll, libapr-1.dll, and the two OpenSSL
libraries. In both cases, it works when FIPS mode is off, but not when it is on.

Is there anything special I need to do to correctly build tcnative to support a FIPS-compatible
OpenSSL build with FIPSMode turned on in Tomcat?

All this is using Tomcat 7.0.32, tcnative 1.1.27, APR 1.4.6, and OpenSSL both 1.0.1c and 1.0.1e,
on 32-bit Windows Server 2008.

Thanks!

--Steve Nickels
Ipswitch, Inc.

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message