tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Nickels <>
Subject RE: TCNative with FIPS OpenSSL throws fingerprint error in FIPS mode
Date Fri, 28 Jun 2013 14:36:40 GMT
> >>> I ran the openssl utility on the same system as Tomcat, and Process
> >>> Explorer shows that its copy of libeay32.dll stays at the correct
> >>> address. Additionally, I tested the FIPS-compatible libeay32.dll on
> >>> a different server with Tomcat, and had the same problem. This seems
> >>> to indicate that the memory address issue is specific to Tomcat, not
> >>> the server.
> >>
> >> Or running within a JVM which has a significant amount of native code
> >> that gets loaded first, which may cause the loader to re-locate the
> >> library when it finally gets loaded.
> >>
> >> Any interest in trying some Java-based testing using libtcnative?
> >
> > I'm game, if you let me know what you'd like me to do. : )
> All you should have to do is write a small Java program that calls
> AprLifecycleListener.lifecycleEvent with an event of type
> You'll of course have to call things like setFIPSMode(true), etc.
> I wonder if you did that without the rest of Tomcat loaded if anything would
> change. I would bet that it's more likely that the bulk of the JVM is causing
> the re-location of the library than anything else.

You are right. Even with that simple program the OpenSSL library gets rebased.

> >> I'm curious: what base address did you use when you changed it?
> >
> > The one that worked for me was 0x6FB00000.
> Did you just choose one randomly?

Most of the other memory addresses in the process seemed to be at the 0x6xxxxxxx range, so
I just tried adding 6 to the beginning of the default memory address, and it worked.

> I wonder if you follow the suggestions from the aforementioned thread for
> re-building everything with the /FIXED switch. That seems to have fixed
> everyone's issues, but you have to be sure to build everything very carefully
> or one component can still be relocatable. tcnative of course does not care.

I may still be doing something wrong, but I still haven't been able to get this switch to
work. I added it to the LFLAGS set in the OpenSSL build, but libeay32.dll still gets rebased
when running through tcnative.

--Steve Nickels
Ipswitch, Inc.
View raw message