> >> Do you think there are ways it could be improved? Better error > >> checking, etc.? I implemented it as simply as I possibly could. > > > > The biggest problem seems to be that something in Tomcat on Windows > > is interfering with OpenSSL's normal base address request (0xFB00000). > > Normally this doesn't matter, but with the FIPS build, if the base > > address of the library is moved from what it expects, the result is a > > fingerprint error when FIPS mode is enabled. > > This could be a problem on *NIX as well -- any library may be re-located by > the loader for any reason.
It's possible this could be a problem on *NIX, but it's my understanding that this error is pretty specific to Windows. The documentation for OpenSSL FIPS says that the FIPS_R_FINGERPRINT_DOES_NOT_MATCH_NONPIC_RELOCATED error code is a "Microsoft Windows specific error". > > I ran the openssl utility on the same system as Tomcat, and Process > > Explorer shows that its copy of libeay32.dll stays at the correct > > address. Additionally, I tested the FIPS-compatible libeay32.dll on a > > different server with Tomcat, and had the same problem. This seems to > > indicate that the memory address issue is specific to Tomcat, not the > > server. > > Or running within a JVM which has a significant amount of native code that > gets loaded first, which may cause the loader to re-locate the library when it > finally gets loaded. > > Any interest in trying some Java-based testing using libtcnative? I'm game, if you let me know what you'd like me to do. : ) > > I can't tell from Process Explorer why libeay32.dll is being rebased > > (I didn't see any other libraries under tomcat7.exe that were > > obviously taking up the same address space). I think it's going to > > take someone with more experience with both Windows and Tomcat than > I > > to figure that one out. I suppose it might be worthy of a bug report, > > at least. > > That would be good -- bug reports have more visibility than mailing list > posts, > and it's a good place to collect information all in one place. I submitted bug 55113 for this. (https://issues.apache.org/bugzilla/show_bug.cgi?id=55113) > I'm curious: what base address did you use when you changed it? The one that worked for me was 0x6FB00000. > > If the fix for the memory rebasing issue ends up being that OpenSSL > > needs to be configured with a different base address, that would be > > good to include in the build documentation for tcnative. > > The file \jni\native\srclib\BUILDING would be a good place for such a > > note. But, if the interfering Tomcat piece were to be found and > > resolved, you wouldn't need it. > > I suspect this is an OS-related thing that Tomcat can't really affect. > Note that (other than tcnative and the win32 service-launcher), Tomcat > doesn't have any native code at all, so it can't really affect this kind of > stuff. > Tomcat just issues a System.loadLibrary() call and lets the JVM and OS take > over. > > >>> With my test application, the original base address was not being > >>> changed by the OS, according to process explorer, which is why it > >>> worked with the original build. > >>> > >>> Thanks for your help! > >> > >> No problem. If there were any other gotchas you found when building > >> tcnative/FIPS/win32 could you let us know? Actually, creating a Wiki > >> page is easy to do and you could help others who are trying to do the > >> same thing. > > > > One minor issue I found when building tcnative on Windows was that > > the BUILDING file in the \jni\native directory in > > tomcat-native-1.1.27-win32-src.zip appears to contain UNIX build > > instructions. This probably isn't appropriate, since the zip file is > > specific to win32. > > That's a good point. Could you log that in Bugzilla as well? There are > (brief) building instructions on http://tomcat.apache.org/native-doc/ > but they should probably also be in the BUILDING file. Submitted bug 55114 for this. (https://issues.apache.org/bugzilla/show_bug.cgi?id=55114) > > If there's a good place to put a wiki page about this, let me know, > > and I can try to add something. > > Really anywhere under http://wiki.apache.org/tomcat/FAQ would be great. > If I were looking for information about this, I'm not sure where I'd look > first. > Perhaps under "Security"? If I get a chance, I'll try and add something here. --Steve Nickels Ipswitch, Inc.
