RE: Help Needed

["Katta, Srinivasa CTR" <Skatta@xxxxxxx>]

Igor,

 

Thanks for the information.

I given some information to  your comments in the below;

Please let me know,If You have any questions or concerns.

Thanks,

Srinivas

 

 

 

-----------------------------------------------------------------------------------------------------------

As far I can see your apache has been compiled with wrong version of openssl:
 "--with-ssl=/usr/local/ssl"

but your openssl fips is installed under
/usr/local/ssl/bin/openssl

so no wonder fips is not working

 

 

Here is ldd information for httpd;

 

 

root@hqd-unixtst-s2 #> ldd -d /usr/local/apache/bin/httpd

        libm.so.2 =>     /usr/lib/libm.so.2

        libaprutil-1.so.0 =>     /usr/local/apache/lib/libaprutil-1.so.0

        libexpat.so.1 =>         /usr/local/lib/libexpat.so.1

        libiconv.so.2 =>         /usr/local/lib/libiconv.so.2

        libapr-1.so.0 =>         /usr/local/apache/lib/libapr-1.so.0

        libuuid.so.1 =>  /usr/lib/libuuid.so.1

        libsendfile.so.1 =>      /usr/lib/libsendfile.so.1

        librt.so.1 =>    /usr/lib/librt.so.1

        libsocket.so.1 =>        /usr/lib/libsocket.so.1

        libnsl.so.1 =>   /usr/lib/libnsl.so.1

        libpthread.so.1 =>       /usr/lib/libpthread.so.1

        libc.so.1 =>     /usr/lib/libc.so.1

        libgcc_s.so.1 =>         /usr/local/lib/libgcc_s.so.1

        libaio.so.1 =>   /usr/lib/libaio.so.1

        libmd.so.1 =>    /usr/lib/libmd.so.1

        libmp.so.2 =>    /usr/lib/libmp.so.2

        libscf.so.1 =>   /usr/lib/libscf.so.1

        libdoor.so.1 =>  /usr/lib/libdoor.so.1

        libuutil.so.1 =>         /usr/lib/libuutil.so.1

        libgen.so.1 =>   /usr/lib/libgen.so.1

root@hqd-unixtst-s2 #> -----------------------------------------------------------------------------

 

Here is the openssl folder information on the server.

root@hqd-unixtst-s2 #> pwd

/usr/local/ssl

root@hqd-unixtst-s2 #> ls

bin          certs        fips-2.0     include      lib          man          misc         openssl.cnf  private

root@hqd-unixtst-s2 #>

Seems,/usr/local/ssl/bin has openssl cmd and /usr/local/ssl has all the libs and other above folders.

Openssl-fips folder is located under /usr/local/ssl/fips-2.0  .

Here is the information in the /usr/local/apache/logs/error_log file,If I removed the SSLFips On from the config file;

 

root@hqd-unixtst-s2 #> cat error_log

[Fri Dec 07 15:01:41 2012] [notice] SSL FIPS mode disabled

[Fri Dec 07 15:01:41 2012] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]

[Fri Dec 07 15:01:43 2012] [notice] Digest: generating secret for digest authentication ...

[Fri Dec 07 15:01:43 2012] [notice] Digest: done

[Fri Dec 07 15:01:43 2012] [notice] SSL FIPS mode disabled

[Fri Dec 07 15:01:43 2012] [notice] Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/1.0.1c-fips configured -- resuming normal operations

[Fri Dec 07 15:04:26 2012] [error] [client 192.168.63.90] File does not exist: /usr/local/apache/htdocs/favicon.ico

[Fri Dec 07 15:28:42 2012] [notice] caught SIGTERM, shutting down

[Fri Dec 07 15:28:50 2012] [notice] SSL FIPS mode disabled

[Fri Dec 07 15:28:50 2012] [warn] Init: Session Cache is not configured [hint: SSLSessionCache]

[Fri Dec 07 15:28:52 2012] [notice] Digest: generating secret for digest authentication ...

[Fri Dec 07 15:28:52 2012] [notice] Digest: done

[Fri Dec 07 15:28:52 2012] [notice] SSL FIPS mode disabled

[Fri Dec 07 15:28:52 2012] [notice] Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/1.0.1c-fips configured -- resuming normal operations

[Fri Dec 07 15:32:51 2012] [notice] caught SIGTERM, shutting down

[Fri Dec 07 15:32:53 2012] [emerg] FIPS mode failed

[Fri Dec 07 15:32:53 2012] [emerg] SSL Library Error: 755413103 error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match

[Fri Dec 07 15:57:52 2012] [emerg] FIPS mode failed

[Fri Dec 07 15:57:52 2012] [emerg] SSL Library Error: 755413103 error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match

[Fri Dec 07 16:45:14 2012] [emerg] FIPS mode failed

[Fri Dec 07 16:45:14 2012] [emerg] SSL Library Error: 755413103 error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match

[Fri Dec 07 17:32:19 2012] [emerg] FIPS mode failed

[Fri Dec 07 17:32:19 2012] [emerg] SSL Library Error: 755413103 error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match

root@hqd-unixtst-s2 #>

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

 

From: Igor Cicimov [mailto:icicimov@xxxxxxxxx]
Sent: Friday, December 07, 2012 7:11 PM
To: users
Subject: Re: Help Needed

 

 

 

On Sat, Dec 8, 2012 at 5:52 AM, Katta, Srinivasa CTR <Skatta@xxxxxxx> wrote:

Hi,

 

Good Morning.

 

I was seeing following  error message in the apache log file /usr/local/apache/logs/error_log,When I try to start the httpd daemon.

 

[Fri Dec 07 16:45:14 2012] [emerg] FIPS mode failed

[Fri Dec 07 16:45:14 2012] [emerg] SSL Library Error: 755413103 error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match

 

Could you please advise me,How I can start apache server and also me advise me,If I done any mistakes.

 

Please find the openssl,openssh and httpd information below.

 

Thanks,

 

Srinivas

 

 

 

 

Here is the server information;

 

root@hqd-unixtst-s2 #> uname -a

SunOS hqd-unixtst-s2 5.10 Generic_147441-24 i86pc i386 i86pc

root@hqd-unixtst-s2 #>

 

Here is the openssl information;

 

root@hqd-unixtst-s2 #> /usr/local/ssl/bin/openssl

OpenSSL> version

OpenSSL 1.0.1c-fips 10 May 2012

OpenSSL>

 

Here is the openssh information;

 

root@hqd-unixtst-s2 #> sshd -v

sshd: illegal option -- v

OpenSSH_6.1p1, OpenSSL 1.0.1c-fips 10 May 2012

usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]

            [-f config_file] [-g login_grace_time] [-h host_key_file]

            [-k key_gen_time] [-o option] [-p port] [-u len]

root@hqd-unixtst-s2 #>

 

Here is the apache httpd version information;

 

root@hqd-unixtst-s2 #> ./httpd -v

Server version: Apache/2.2.23 (Unix)

Server built:   Dec  7 2012 15:38:35

root@hqd-unixtst-s2 #>

 

Here is the httpd build configure options;

 

 

#! /bin/sh

#

# Created by configure

 

"./configure" \

"--prefix=/usr/local/apache" \

"--enable-mime-magic" \

"--enable-info" \

"--enable-imagemap" \

"--enable-speling" \

"--enable-rewrite" \

"--enable-authz-host" \

"--enable-authn-anon" \

"--enable-authn-dbm" \

"--enable-auth-digest" \

"--enable-cern-meta" \

"--enable-expires" \

"--enable-headers" \

"--enable-unique_id" \

"--enable-so" \

"--enable-ssl" \

"--with-ssl=/usr/local/ssl" \

"--with-included-apr" \

"$@" -----------------------------------------------------------------------------

 

 

I added SSLFips On  option in the httpd-ssl.conf file and right now,I do not have key files,So,I commented the following lines in the httpd-ssl.conf file;

#SSLCertificateFile "/usr/local/apache/conf/server.crt"

#SSLCertificateKeyFile "/usr/local/apache/conf/server.key"

 

 

As far I can see your apache has been compiled with wrong version of openssl:
 "--with-ssl=/usr/local/ssl"

but your openssl fips is installed under
/usr/local/ssl/bin/openssl

so no wonder fips is not working.

 

 -----------------------------------------------------------------------------

Srinivasa Rao Katta (Contractor)

Unix Administrator

URS Federal Services, Inc

Desk (202)-326-3170

Cell (571)-276-1846

SCSA,SCNA,RHCT

(Sun Certified System and Network Administrator)

(Redhat Certified Technician)

-----------------------------------