Hi all, I've been trying to compile tcnative on Windows with a FIPS-compatible build of OpenSSL. I've been successful building and running tcnative this way, at least until I turn on FIPS mode on the AprLifecycleListener config in Tomcat.
When FIPSMode is set to "off", Tomcat works fine, and SSL services operate correctly. When it is set to "on", however, Tomcat refuses to start, and I get the following error in the catalina log file: SEVERE: Failed to initialize the SSLEngine. java.lang.Exception: error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match I'm fairly confident that the OpenSSL library I'm using is valid and uncorrupted (I've used a couple different copies: an existing set of binaries being used successfully in another product internally, and a newly built version which I have successfully used the openssl utility against, without error). My assumption is that I'm not building/linking OpenSSL correctly into tcnative. So far I've tried building both the tcnative and libtcnative projects via the supplied Visual Studio workspace. In the former case, the APR library appears to statically linked into tcnative-1.dll, so I don't have to provide libapr-1.dll, however I do still need to provide libeay.dll and ssleay.dll. In the latter case, I provide libtcnative-1.dll, libapr-1.dll, and the two OpenSSL libraries. In both cases, it works when FIPS mode is off, but not when it is on. Is there anything special I need to do to correctly build tcnative to support a FIPS-compatible OpenSSL build with FIPSMode turned on in Tomcat? All this is using Tomcat 7.0.32, tcnative 1.1.27, APR 1.4.6, and OpenSSL both 1.0.1c and 1.0.1e, on 32-bit Windows Server 2008. Thanks! --Steve Nickels Ipswitch, Inc.
