-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Steve,
On 6/13/13 1:57 PM, Steve Nickels wrote: > I figured out the problem. The error was due to my system rebasing > the libeay32.dll library from its desired base address of > 0xFB00000. According to OpenSSL documents, this is supposed to > generate a specific error message of > FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELATED, but because I > wasn't seeing that, I didn't think that was the problem. Interesting. Do you think it was being swallowed-up somewhere? Like I said, tcnative/FIPS hasn't gotten a huge amount of exposure. Do you think there are ways it could be improved? Better error checking, etc.? I implemented it as simply as I possibly could. (I also noticed a small bug when checking the code around FIPS_mode_set in tcnative: the OpenSSL docs say that if FIPS_mode_set(x) is successful and x != 0, then the function returns x. The check in there is against 1 and not x. So that could afford to be fixed.) > However, process explorer showed that the base address of > libeay32.dll in the tomcat7.exe process was not at its correct > base address. I recompiled OpenSSL with a new base address, > verified that the new dll wasn't being rebased, and then turned on > FIPS mode, and it worked. Wow, that could certainly confuse things. Again, I don't know anything about building on win32, but is that the kind of thing that we could better-document (or document /at all/) somewhere in the source bundle? Is there a project file that could contain such a hint that a casual DIY user like you would have consulted? > With my test application, the original base address was not being > changed by the OS, according to process explorer, which is why it > worked with the original build. > > Thanks for your help! No problem. If there were any other gotchas you found when building tcnative/FIPS/win32 could you let us know? Actually, creating a Wiki page is easy to do and you could help others who are trying to do the same thing. Thanks, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJRugwMAAoJEBzwKT+lPKRYLY8QAMFcsCWHn0ZXJsi9pqndPYa+ EJ57iZwR4odAZ9uspZwo5+ttViVsYI5vFcS9jNRbB5y8fu3p/I20jCeO2cqsGEH1 2rvI9Q5ynxl9fD9BH8dAIEMhnyH1IOBhrw/pAfwhl2YH5u3GnIDfyvw8cKTzliok O+c9dT8wF1+yvDf0A45J+B3RjZCXZFvqyVmFOpOt73Bc+k3IgR82w3yNolRyAmIu TM2htIhdYibFCMO7FwsrjkczvNdS4YZXdyx5Yk1FB4HQisnOnwQtngQJNYnwR0RO qFsW3GJdsQZzgOwQLdmfF4BGTOjPSRQ+8B3ANpbu2Np63w3lLqSNYL6YzTkP1zMd n5g8/tiy+zYiSglQhcwBb3SGsAkxA0eA/zLr/kvnuf1NRucvx1hy0cnPJPjbLXyn fhE9McgPkhkhNm6Hfei1hKda2HKF22cuamx96aV0BVFtTzhfyVLqz2sXSrGGwQe1 FIsBjdLHYQ3h9f/cEf7NlahcKNJPDGnJfvXkCc+ypNlIthyj5OgrfB20whxomo+i UnEcxACUntEvB1gIQSZLidgu4DLwrrz2vMIdhT6Q08p+j8QBTWcqumlXQ4kwYJF/ 2DAvGUKA3GEMMelZargeOMjobJKQ7/TFDoolpYuMejJsB1WfjVJIgKsTmLiWCuIp u+SpbpznQVQeIAtr9Q7e =WVnL -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
