For Apache 2.2.15, I've used the two different versions of OpenSSL 0.9.8n/0.9.8o, the latter version of OpenSSL was used ever since it was released and I had no issues. I've used different versions of OpenSSL (when they became available) with different versions of Apache, still never encountered any of these issues before. Your suggestion was my next step, just wanted to see if anyone has experienced these issues. Thanks for the quick response! James >---- Original Message ---- >From: Jeff Trawick <trawick@xxxxxxxxx> >To: users@xxxxxxxxxxxxxxxx >Sent: Fri, Aug 6, 2010, 11:18 AM >Subject: Re: Apache 2.2.16 > >On Fri, Aug 6, 2010 at 10:57 AM, <james@xxxxxxxxxxxxxxx> wrote: >> >> Hello, >> >> I've recently upgraded to 2.2.16 and am encountering some issues. I've noticed the addition of SSLFIPS, however, I did not see any mention of this in the release notes. I did, however, see mention of it in the release notes for 2.3.6, interesting. I've compiled against OpenSSL 0.9.8o-fips (FIPS 1.2 module from openssl.org). >> >> I have a web application that uses OpenLDAP and SSH to add/check resources, such as users. Going through HTTPS and testing the LDAP server configuration (manually entered settings) to verify that I can communicate with the server properly, the Apache child process segfaults. The OpenLDAP version is 2.4.23. >> >> [Fri Aug 06 09:17:54 2010] [notice] child pid 15419 exit signal Segmentation fault (11) >> >> Has anyone encountered this issue before? >> >> My other issue is when adding an user over HTTPS and having PHP exec() the system's ssh command to connect to the remote machine and perform a few minor operations. The error message I am getting is: >> >> digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored >> [Fri Aug 06 09:32:27 2010] [notice] child pid 29661 exit signal Aborted (6) >> >> After researching that error message a bit, it appears to be caused by an MD5 checksum and MD5 is one of the forbidden algorithms in FIPS. >> >> The above mentioned functionality worked flawlessly in 2.2.15 and below. > >Did you use the same OpenSSL build with 2.2.15 and below? > >My suggestion: > >Find out what symptoms are specific to the use of FIPS-enabled OpenSSL >Get backtraces for any crashes (SIGSEGV, SIGABRT) you're seeing >Open bugs with the appropriate component(s) -- httpd, PHP, apr, >OpenLDAP, etc. -- depending on what code crashes or is implicated in >misusing some other component. > >--------------------------------------------------------------------- >The official User-To-User support forum of the Apache HTTP Server Project. >See <URL:http://httpd.apache.org/userslist.html> for more info. >To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx >For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|