tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Nickels <>
Subject RE: TCNative with FIPS OpenSSL throws fingerprint error in FIPS mode
Date Tue, 18 Jun 2013 16:58:55 GMT
> >> Do you think there are ways it could be improved? Better error
> >> checking, etc.? I implemented it as simply as I possibly could.
> >
> > The biggest problem seems to be that something in Tomcat on Windows
> > is interfering with OpenSSL's normal base address request (0xFB00000).
> > Normally this doesn't matter, but with the FIPS build, if the base
> > address of the library is moved from what it expects, the result is a
> > fingerprint error when FIPS mode is enabled.
> This could be a problem on *NIX as well -- any library may be re-located by
> the loader for any reason.

It's possible this could be a problem on *NIX, but it's my understanding that this error is
pretty specific to Windows. The documentation for OpenSSL FIPS says that the FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED
error code is a "Microsoft Windows specific error".

> > I ran the openssl utility on the same system as Tomcat, and Process
> > Explorer shows that its copy of libeay32.dll stays at the correct
> > address. Additionally, I tested the FIPS-compatible libeay32.dll on a
> > different server with Tomcat, and had the same problem. This seems to
> > indicate that the memory address issue is specific to Tomcat, not the
> > server.
> Or running within a JVM which has a significant amount of native code that
> gets loaded first, which may cause the loader to re-locate the library when it
> finally gets loaded.
> Any interest in trying some Java-based testing using libtcnative?

I'm game, if you let me know what you'd like me to do. : )

> > I can't tell from Process Explorer why libeay32.dll is being rebased
> > (I didn't see any other libraries under tomcat7.exe that were
> > obviously taking up the same address space). I think it's going to
> > take someone with more experience with both Windows and Tomcat than
> I
> > to figure that one out. I suppose it might be worthy of a bug report,
> > at least.
> That would be good -- bug reports have more visibility than mailing list posts,
> and it's a good place to collect information all in one place.

I submitted bug 55113 for this. (

> I'm curious: what base address did you use when you changed it?

The one that worked for me was 0x6FB00000.

> > If the fix for the memory rebasing issue ends up being that OpenSSL
> > needs to be configured with a different base address, that would be
> > good to include in the build documentation for tcnative.
> > The file \jni\native\srclib\BUILDING would be a good place for such a
> > note. But, if the interfering Tomcat piece were to be found and
> > resolved, you wouldn't need it.
> I suspect this is an OS-related thing that Tomcat can't really affect.
> Note that (other than tcnative and the win32 service-launcher), Tomcat
> doesn't have any native code at all, so it can't really affect this kind of stuff.
> Tomcat just issues a System.loadLibrary() call and lets the JVM and OS take
> over.
> >>> With my test application, the original base address was not being
> >>> changed by the OS, according to process explorer, which is why it
> >>> worked with the original build.
> >>>
> >>> Thanks for your help!
> >>
> >> No problem. If there were any other gotchas you found when building
> >> tcnative/FIPS/win32 could you let us know? Actually, creating a Wiki
> >> page is easy to do and you could help others who are trying to do the
> >> same thing.
> >
> > One minor issue I found when building tcnative on Windows was that
> > the BUILDING file in the \jni\native directory in
> > appears to contain UNIX build
> > instructions. This probably isn't appropriate, since the zip file is
> > specific to win32.
> That's a good point. Could you log that in Bugzilla as well? There are
> (brief) building instructions on
> but they should probably also be in the BUILDING file.

Submitted bug 55114 for this. (

> > If there's a good place to put a wiki page about this, let me know,
> > and I can try to add something.
> Really anywhere under would be great.
> If I were looking for information about this, I'm not sure where I'd look first.
> Perhaps under "Security"?

If I get a chance, I'll try and add something here.

--Steve Nickels
Ipswitch, Inc.
View raw message