tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Beckey <>
Subject Re: TCNative with FIPS OpenSSL throws fingerprint error in FIPS mode
Date Wed, 12 Jun 2013 12:08:21 GMT
Getting FIPS mode turned on and running is, unfortunately, far more complex than getting the
libs, or even building them, and installing them.
You need to follow the directions for building the FIPS module here:

I've gone through this for OpenSSL 0.9 (FIPS 1.2), not for 2.0 and it is a process that takes
a day at least, more likely two or three including collecting all the right tools.  Keep in
mind that you are trying to build an exact version of a library, not a functionally equivalent
version. Things like compiler version make a difference.

Basically, the process assures that the libs you build are validated as not having been changed
since they were built and they were built from the unchanged source  This involves a series
of steps to validate everything from the downloaded source through to the finished lib.  Unfortunately
I don't have access to the libs I built, they could get you through testing.  They would NOT
be acceptable as genuinely FIPS compliant because you need to document the build process,
including the signatures at each step, and keep that documentation.

The error you are getting is expected because the lib you've built won't have the correct
fingerprint (basically a hash of the lib) as compared to the known value.  When you start
FIPS mode, it runs validation on the loaded libraries.  You'll probably notice a marked delay
when it does start up correctly in FIPS mode.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message