Hi Users, I use Apache Webserver and mod_ssl as the server application. I want to upgrade this server to use FIPS validated module, hence I am using Openssl-fips-1.2 in conjunction with Openssl-0.9.8j. I would like to know, where we have to make this fips_mode_set() API call. Should the fips-mode be enabled as soon as the main() function of the httpd project starts or can I enable it after all the dlls are loaded and I am about to run my own threads?
I have tried to do the following and faced problems on both accounts: 1. If the fips_mode_set() API is called in the beginning of the main() function in main.c in httpd project of Apache, then the server exits. The log file entry shows “Failed to generate temporary 512 bit RSA private key” “Seeding PRNG with 0 bytes of entropy”. 2. If the fips_mode_set() API is called after all dlls are loaded, then, when I connect from my client application, it fails to connect. And when I debug I find that ssl_accept() in ssl_engine_io.c of mod_ssl project fails, with error code 5. Also, if the server page is accessed from Internet Explorer, then the server crashes trying to free memory!! Call stack shows calls to free() in dbgheap.c in msvcr80d.dll. (I am not able to provide the call stack right now please bear with me.) The call stack almost runs like below: libhttpd.dll->mod_ssl.dll->ssleay32.dll->msvcr80.dll->dbgheap. I have tried to put the LogLevel to DEBUG in the config file, to find out the problem area. But, the server crashes earlier itself at ap_log_error() in libhttpd. If this is set to ERROR, then the crash occurs at free() of dbgheap.c (from msvcr80d.dll). Could you tell me which is the right place to make this call? If it should be in the main.c in httpd project, then could you tell me what needs to be done for the Failed RSA private key generation error? 3. Should my client application also be in fips-mode to connect to a fips-enabled server? If so, are there any additional things i have to do or calling the fips_mode_set() API at the very beginning of the client application suffice? It would be very helpful if any of you could give a clear picture on this. Thanks & Regards, Uma Nayak ________________________________ http://www.mindtree.com/email/disclaimer.html ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
