tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geett Chanddra Singha <gee...@gmail.com>
Subject Re: FIPS Mode enabling on Tomcat 7.00.057
Date Thu, 05 Feb 2015 12:19:20 GMT
Thanks Chris!

I am able to resolve the issue.

On Fri, Jan 30, 2015 at 10:09 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Geet,
>
> On 1/30/15 1:22 AM, Geett Chanddra Singha wrote:
> > Steps followed to build FIPS
> >
> > tar zxf openssl-1.0.1l.tar.gz
> >
> > cd openssl-1.0.1l
> >
> > ./config --prefix=/usr/local
> > --with-fipsdir=/usr/local/ssl/fips-2.0
> >
> > make
> >
> > make install
> >
> > Note: I have installed the FIPS module in /usr/local/ssl/fips-2.0
>
> You have to do "./config fips --with--fipsdir=[...]". You are missing
> the "fips" argument to "config".
>
> After I did the "config", it told me that I needed to first "make
> depend". Then I did a regular "make" and got a FIPS-capable module (as
> tested by doing:
>
> $ cd test
> $ sh ./testfipsssl
>
> (Note that this test fails part way through because it's missing some
> kind of fake certificate... it looks like a problem with the test itself).
>
> I ran the test without building with FIPS and it died right away, so
> I'm confident I ended up with a FIPS-capable module:
>
> $ sh ./testfipsssl
> WARNING: can't open config file: /usr/local/ssl/openssl.cnf
> test ssl3 is forbidden in FIPS mode
> *** IN FIPS MODE ***
> Available compression methods:
>   NONE
> 140652183557800:error:140A9129:SSL routines:SSL_CTX_new:only tls
> allowed in fips mode:ssl_lib.c:1715:
> 140652183557800:error:140A9129:SSL routines:SSL_CTX_new:only tls
> allowed in fips mode:ssl_lib.c:1715:
> test ssl2 is forbidden in FIPS mode
> *** IN FIPS MODE ***
> Available compression methods:
>   NONE
> 139882949523112:error:140A9129:SSL routines:SSL_CTX_new:only tls
> allowed in fips mode:ssl_lib.c:1715:
> 139882949523112:error:140A9129:SSL routines:SSL_CTX_new:only tls
> allowed in fips mode:ssl_lib.c:1715:
> test tls1
> *** IN FIPS MODE ***
> Available compression methods:
>   NONE
> TLSv1, cipher TLSv1/SSLv3 AES256-SHA, 2048 bit RSA
> 1 handshakes of 256 bytes done
> test tls1 with server authentication
> *** IN FIPS MODE ***
> Available compression methods:
>   NONE
> server authentication
> depth=0 error=20 /C=UK/O=OpenSSL Group/OU=FOR TESTING PURPOSES
> ONLY/CN=Test Server Cert
> Error string: unable to get local issuer certificate
> ERROR in CLIENT
> 140515612989096:error:14090086:SSL
> routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify
> failed:s3_clnt.c:1162:
> TLSv1, cipher (NONE) (NONE)
> 1 handshakes of 256 bytes done
>
> $ cd ..
> $ ./apps/openssl version
> WARNING: can't open config file: /usr/local/ssl/openssl.cnf
> OpenSSL 1.0.1l-fips 15 Jan 2015
>
> (Man... OpenSSL really is a big ball of crap: you have to be in the
> exact right directory for everything to work. It's amazing that these
> guys don't fix stuff like that. I like scripting everything, and
> having to do a "cd" in a script usually means that it's going to be
> hard to do things properly.)
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUy7PaAAoJEBzwKT+lPKRYAqcQAI+So5gWQYfh166f1V30jrR4
> IqWHGvwxUYjIRPeuwu6V0tTVgAkwcspRiMapLWOIpSojrr+9jysj2N85EOVSpg+r
> yIkc7dJmDgvaQ025u6bhnCby8YwupVmoyQKuiR4CzQb+ZjZIaDgp0l4XEyP/DxTy
> UDD/CnXvJE/Fgp6lwnOcLygOYuPwGq0cDMcJEW5RT9TMfp8T0yLgOoC8NOuYp4q5
> Buywt9adAjNYZR1xREIKgRzEXEalFuI2dA4XyIV55Pye00dsAufsBj/uLhv4xAva
> XU3qbHnHSnycfiipGjW60ZM0zJqLtszx3Q26luElCbv9QqOAyf68+QV4cYVhI2rY
> 6SefnQZ2mCQKDs15+aYyB093zveQxKLkVIHyYsbHLpe0oPBUp0f8cy5UVRZnmtE+
> H8IXxG3jaz6mG15DYF6IXyg/GVlHMS+RQdoD2c0sNN+WtY0g+7kbcNLcrjwvsei0
> nKm6lnWXDUT4u8ggp5h+XDSbf1RzyxMyl6B9EwFW39rgmOnTtYIJjW7N8TxvcxvI
> 5LBEUJUcVSi2kb3tiWNHdcEeT5cnk8Woy3Tyoi+OrdcDoawz7x8o8sroXHgXogxN
> Zm5k6gAB+4xCv8LUVnkRV2qu+MBk6hmX5vEOp8NYf0xKzEuOhYGyxSL4b/5U+6c2
> bbYfRCbqLI/ySkifw55o
> =o/7E
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


-- 
Thanks & Regards
Geett Chanddra Singha

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message