-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Steve,
On 6/11/13 6:51 PM, Steve Nickels wrote: > I've been trying to compile tcnative on Windows with a > FIPS-compatible build of OpenSSL. I've been successful building > and running tcnative this way, at least until I turn on FIPS mode > on the AprLifecycleListener config in Tomcat. Note that tcnative/FIPS mode hasn't gotten a huge amount of testing. I'm glad we're getting some users of it. > When FIPSMode is set to "off", Tomcat works fine, and SSL services > operate correctly. When it is set to "on", however, Tomcat refuses > to start, and I get the following error in the catalina log file: > > SEVERE: Failed to initialize the SSLEngine. java.lang.Exception: > error:2D06B06F:FIPS > routines:FIPS_check_incore_fingerprint:fingerprint does not match That definitely seems like OpenSSL is refusing to start because it's failing its self-checks. > I'm fairly confident that the OpenSSL library I'm using is valid > and uncorrupted (I've used a couple different copies: an existing > set of binaries being used successfully in another product > internally, and a newly built version which I have successfully > used the openssl utility against, without error). Can you write a simple C program to link against OpenSSL and try to start it in FIPS mode? Does that work without error? Feel free to just steal code from tcnative to put-together a Frankenstein's monster of code just to see if it works. > My assumption is that I'm not building/linking OpenSSL correctly > into tcnative. ...and you are building tcnative by hand because the OpenSSL Tomcat provides is not build with FIPS compatibility, right? You will have to make sure you have a FIPS-compatible OpenSSL (please post the result of "openssl.exe version") and you will definitely have to re-build tcnative against it because otherwise all the FIPS stuff will generate errors before even trying to call FIPS_mode_set on OpenSSL. > So far I've tried building both the tcnative and libtcnative > projects via the supplied Visual Studio workspace. In the former > case, the APR library appears to statically linked into > tcnative-1.dll, so I don't have to provide libapr-1.dll, however I > do still need to provide libeay.dll and ssleay.dll. In the latter > case, I provide libtcnative-1.dll, libapr-1.dll, and the two > OpenSSL libraries. In both cases, it works when FIPS mode is off, > but not when it is on. > > Is there anything special I need to do to correctly build tcnative > to support a FIPS-compatible OpenSSL build with FIPSMode turned on > in Tomcat? > > All this is using Tomcat 7.0.32, tcnative 1.1.27, APR 1.4.6, and > OpenSSL both 1.0.1c and 1.0.1e, on 32-bit Windows Server 2008. Unfortunately, I have no experience building projects on Microsoft Windows... I was able to get the library built and successfully enabled FIPS mode on Linux (where I did my minimal testing). What does "openssl.exe version" currently print? I presume it advertises FIPS-mode? Given that you are getting an OpenSSL error message, it appears that you have built tcnative properly (that is, OPENSSL_FIPS has been detected and tcnative is actually attempting to enter FIPS mode). So I think something must be wrong with either the OpenSSL library itself or the linkage between the two. I notice that Tomcat distributes openssl.exe and not openssl.dll (or similar). Are you building openssl.exe or openssl.dll when you build OpenSSL? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRuIdgAAoJEBzwKT+lPKRY+0MP/2ps/cZFddJPimCROpbYddsD YipUIsCyVMAQzD0LTYqSK+bpNq5sPu/hWLCrSZ77TO5yV9TveU/mK5bBPUkVUurk jZd8eitpup2c5wogULKm+OWyG24V4aGVt9YoQ3OPspNTmKoAsH7e71DbAzkUOC5r Mft4z3KTrWIFJeeog2HMc7CegesvpTMnZ9fUu92Y7ZUxmYAWSiedhEmYvXYUZXGr BYeAmb8G7Z+bFWNZ9Rd1yQ/N/NeVqxAuIPzNq89LzBGiE9be+AbMOIg6KitvuIUP aEHrH/KcKOxjd8Ey/j70+QJMaXdBfazSgjj68gQYtKABN/cv3gac8ckRgVMxgrLQ L2Y5LuHfkpLtAB2mcJ5yyQxcVXeBeqfYFXRrAnDKmlRL4fUYif6OGa8OC4Q2dKn7 m+wjjCsK6MyyQzJhBHUzMph1cVORhuLcs6sidqQU8Un5rkTJEgm4xrAA2KS/vhEk TG/exddFlCT0iYbuGhhm0McA+AxFybz8qP5ibz7iayVmnCmBzMGuOTsMkGjugkBh UaKYtnN3v98ovyCQVfw6lCAL2XV85NjsemIo3B1XYjJ7DZPO9GrTwKqbO1oDBbgl RaG/kFupohJPO79yg+mzxQrWt2kFPdGAA1DaceRKhHgSxzJC8cpoovnV3Wi2Bwnr 8lplxWIr7mZgrsSXZo9h =pJzS -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
