Hi, When I tried to start Apache with FIPS on now, I was prompted for the pass phrase which is normal. After I typed in pass phrase, I got a message: Apache: mod_ssl:Error: Pass phrase incorrect (5 more retries permitted). When I ctrl-c to exist, I got another message: Apache:mod_ssl:Error: Private key not found. Which is not correct since the private key is there. The key and certificate was generated before FIPS is enabled. The key and certificate was used by my Apache 2.2.22 (FIPS disabled) and I just copied them for the new httpd to use. Once I disabled FIPS in the configuration file, I typed in the same pass phrase and I can start httpd v2.4.3. What else do I need to do or check? Thanks. Ryan Jiang -----Original Message----- From: Ruiyuan Jiang [mailto:RJiang@xxxxxxxx] Sent: Thursday, August 23, 2012 11:04 AM To: users@xxxxxxxxxxxxxxxx Subject: RE: FIPS disabled by httpd 2.4.3 Thanks Rainer, I put the statement "SSLFIPS on" in the global context section of httpd-ssl.conf file. When I started apache, I got a message in error_log: # cat error_log [Thu Aug 23 10:30:03.014417 2012] [ssl:emerg] [pid 3190:tid 139842618164992] AH01885: FIPS mode failed [Thu Aug 23 10:30:03.014546 2012] [ssl:emerg] [pid 3190:tid 139842618164992] SSL Library Error: error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match [Thu Aug 23 10:30:03.014564 2012] [ssl:emerg] [pid 3190:tid 139842618164992] AH02312: Fatal error initialising mod_ssl, exiting. Ryan Jiang -----Original Message----- From: Rainer Jung [mailto:rainer.jung@xxxxxxxxxxx] Sent: Wednesday, August 22, 2012 6:15 PM To: users@xxxxxxxxxxxxxxxx Subject: Re: FIPS disabled by httpd 2.4.3 On 22.08.2012 20:47, Ruiyuan Jiang wrote: > Hi, > > My OpenSSL v1.0.1c was compiled as FIPS enabled. > > # /usr/local/ssl/bin/openssl > OpenSSL> version > OpenSSL 1.0.1c-fips 10 May 2012 > OpenSSL> > > I did compilation httpd v2.4.2 and v2.4.3 to use the above version of openssl. After I started httpd v2.4.3, I noticed in the error_log that FIPS is being disabled. Why or is there something that I did wrong for the mod_ssl option in the "configure" period? Thanks. > > # cat error_log > [Wed Aug 22 14:37:24.561183 2012] [ssl:notice] [pid 23557:tid 140125173548800] AH01886: SSL FIPS mode disabled > [Wed Aug 22 14:37:28.603319 2012] [:notice] [pid 23557:tid 140125173548800] ModSecurity for Apache/2.6.7 (http://www.modsecurity.org/) configured. > [Wed Aug 22 14:37:28.603331 2012] [:notice] [pid 23557:tid 140125173548800] ModSecurity: APR compiled version="1.4.6"; loaded version="1.4.6" > [Wed Aug 22 14:37:28.603336 2012] [:notice] [pid 23557:tid 140125173548800] ModSecurity: PCRE compiled version="7.8 "; loaded version="7.8 2008-09-05" > [Wed Aug 22 14:37:28.603340 2012] [:notice] [pid 23557:tid 140125173548800] ModSecurity: LIBXML compiled version="2.7.6" > [Wed Aug 22 14:37:28.603343 2012] [:notice] [pid 23557:tid 140125173548800] Original server signature: Apache/2.4.3 (Unix) OpenSSL/1.0.1c-fips > [Wed Aug 22 14:37:28.686133 2012] [ssl:notice] [pid 23568:tid 140125173548800] AH01886: SSL FIPS mode disabled > [Wed Aug 22 14:37:28.724620 2012] [lbmethod_heartbeat:notice] [pid 23568:tid 140125173548800] AH02282: No slotmem from mod_heartmonitor > [Wed Aug 22 14:37:29.011086 2012] [mpm_worker:notice] [pid 23568:tid 140125173548800] AH00292: Apache/2.4.3 (Unix) OpenSSL/1.0.1c-fips rproxynj.fifthandpacific.com configured -- resuming normal operations > [Wed Aug 22 14:37:29.011208 2012] [core:notice] [pid 23568:tid 140125173548800] AH00094: Command line: '/opt/apache2.4.3/bin/httpd' http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslfips No difference between 2.4.2 and 2.4.3 though. In order for the message to be written, your build needs support for the directive. This is included in 2.4.2 and 2.4.3 by default, but could be disabled if during the build HAVE_FIPS is not defined. This define in turn is set if the OpenSSl detected during configure is of version >= 0.9.8a and has FIPS support built in. I would first check for differences between your builds of 2.4.2 and 2.4.3 by adding SSLFips Off to the config. If FIPS support is not compiled into Apache, then it will fail to start and complain about an unknown directive SSLFips. If adding the directive works for both, try setting it to On in both cases and check the startup messages for FIPS mode messages. Regards, Rainer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx This message (including any attachments) is intended solely for the specific individual(s) or entity(ies) named above, and may contain legally privileged and confidential information. If you are not the intended recipient, please notify the sender immediately by replying to this message and then delete it. Any disclosure, copying, or distribution of this message, or the taking of any action based on it, by other than the intended recipient, is strictly prohibited. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|