Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 0F2B210F2A for ; Wed, 12 Jun 2013 12:08:59 +0000 (UTC) Received: (qmail 34481 invoked by uid 500); 12 Jun 2013 12:08:55 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 34044 invoked by uid 500); 12 Jun 2013 12:08:54 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 34035 invoked by uid 99); 12 Jun 2013 12:08:53 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Jun 2013 12:08:53 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of cbeckey@gmail.com designates 209.85.128.47 as permitted sender) Received: from [209.85.128.47] (HELO mail-qe0-f47.google.com) (209.85.128.47) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 12 Jun 2013 12:08:46 +0000 Received: by mail-qe0-f47.google.com with SMTP id 1so5610626qec.34 for ; Wed, 12 Jun 2013 05:08:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:content-type:subject:date:message-id:to:mime-version:x-mailer; bh=ZjVTKgwvRuF9V6RFrQ2hVJCFDHZ1IwWDvm+y7NMdt0w=; b=C6i579cFAwczS2P9Wy5mIyPwZdXpZSOZLfdnyPcbwt2spJHSSUwsgPrzuc6iz8PkR4 PQAgYM3qUOqQm8j4jXj+kCcUOOn0twkVf6EpYMkqbYPKmUMRUS/2QiaOaHHS7du7cHvC o16F35k46wcAT4bCoLUcPoDIc6M+SQyoMnCwAZ274zZ4aCLZzGAmmcnec7mKuSHiQqKz aIVZdjVkQkLCwmU8B0OkVY9jNnk/F4C85fEYjFfXFZgruuQ/1nXuHsB67QArLujxc/27 7Vq3WkgUeJWRNaFcC028AFodsT64/wsP0nKGYwu+wbdPLXRXCIdpaobrF0hnyCxnu+Y3 ohgQ== X-Received: by 10.229.148.7 with SMTP id n7mr3166377qcv.112.1371038906007; Wed, 12 Jun 2013 05:08:26 -0700 (PDT) Received: from [192.168.1.2] (c-68-50-73-28.hsd1.md.comcast.net. [68.50.73.28]) by mx.google.com with ESMTPSA id c5sm25640791qaj.5.2013.06.12.05.08.24 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 12 Jun 2013 05:08:25 -0700 (PDT) From: Chris Beckey Content-Type: multipart/alternative; boundary="Apple-Mail=_F643F35F-8BB1-4E13-8461-BBFE9F46A7C8" Subject: Re: TCNative with FIPS OpenSSL throws fingerprint error in FIPS mode Date: Wed, 12 Jun 2013 08:08:21 -0400 Message-Id: To: users@tomcat.apache.org Mime-Version: 1.0 (Apple Message framework v1283) X-Mailer: Apple Mail (2.1283) X-Virus-Checked: Checked by ClamAV on apache.org --Apple-Mail=_F643F35F-8BB1-4E13-8461-BBFE9F46A7C8 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Getting FIPS mode turned on and running is, unfortunately, far more = complex than getting the libs, or even building them, and installing = them. You need to follow the directions for building the FIPS module here: http://www.openssl.org/docs/fips/fipsnotes.html -and- http://www.openssl.org/docs/fips/UserGuide.pdf I've gone through this for OpenSSL 0.9 (FIPS 1.2), not for 2.0 and it is = a process that takes a day at least, more likely two or three including = collecting all the right tools. Keep in mind that you are trying to = build an exact version of a library, not a functionally equivalent = version. Things like compiler version make a difference. Basically, the process assures that the libs you build are validated as = not having been changed since they were built and they were built from = the unchanged source This involves a series of steps to validate = everything from the downloaded source through to the finished lib. = Unfortunately I don't have access to the libs I built, they could get = you through testing. They would NOT be acceptable as genuinely FIPS = compliant because you need to document the build process, including the = signatures at each step, and keep that documentation. The error you are getting is expected because the lib you've built won't = have the correct fingerprint (basically a hash of the lib) as compared = to the known value. When you start FIPS mode, it runs validation on the = loaded libraries. You'll probably notice a marked delay when it does = start up correctly in FIPS mode. --Apple-Mail=_F643F35F-8BB1-4E13-8461-BBFE9F46A7C8--