tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Nickels <snick...@ipswitch.com>
Subject RE: TCNative with FIPS OpenSSL throws fingerprint error in FIPS mode
Date Wed, 12 Jun 2013 22:54:50 GMT
> > I'm fairly confident that the OpenSSL library I'm using is valid and
> > uncorrupted (I've used a couple different copies: an existing set of
> > binaries being used successfully in another product internally, and a
> > newly built version which I have successfully used the openssl utility
> > against, without error).
> 
> Can you write a simple C program to link against OpenSSL and try to start it in
> FIPS mode? Does that work without error? Feel free to just steal code from
> tcnative to put-together a Frankenstein's monster of code just to see if it
> works.

I've done so, and verified that my OpenSSL build seems to be working correctly, both in FIPS
mode and not. My test program creates SHA-1 and MD5 hashes of a simple string value. With
FIPS mode off, both hashes are returned. With FIPS mode on, the SHA-1 hash is returned, and
the MD5 hash generates the expected "disabled for fips" error. There was no error at the point
of FIPS_mode_set(1), which seems to indicate that the self tests passed. This matches what
I saw when I used the openssl.exe utility that was compiled with OpenSSL (version OpenSSL
1.0.1c-fips 10 May 2012).

Using this same OpenSSL build in tcnative, however, results in the fingerprint error when
Tomcat starts up with FIPS mode enabled.


> > My assumption is that I'm not building/linking OpenSSL correctly into
> > tcnative.
> 
> ...and you are building tcnative by hand because the OpenSSL Tomcat
> provides is not build with FIPS compatibility, right? You will have to make sure
> you have a FIPS-compatible OpenSSL (please post the result of "openssl.exe
> version") and you will definitely have to re-build tcnative against it because
> otherwise all the FIPS stuff will generate errors before even trying to call
> FIPS_mode_set on OpenSSL.

Correct. I get the expected "FIPS not available" error when I turn on FIPS mode using the
stock tcnative-1.dll library that comes with Tomcat. The FIPS-compatible OpenSSL build I have
reports as "OpenSSL 1.0.1c-fips 10 May 2012".


> I notice that Tomcat distributes openssl.exe and not openssl.dll (or similar).
> Are you building openssl.exe or openssl.dll when you build OpenSSL?

Building OpenSSL on Windows results in three distributable files: libeay32.dll, ssleay32.dll,
and openssl.exe. I copy the first two into Tomcat\bin, along with tcnative-1.dll, in order
to make OpenSSL available to tcnative. It also results in libeay32.lib and ssleay32.lib, which
are used in the tcnative compile process.


--Steve Nickels
Ipswitch, Inc. 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Mime
View raw message