FIPS Fails due to Fingerprint Error while running for a App

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Experts,


Looking for some assistance. I’ve compiled one of the App in FIPs mode and while running the App. I’m getting fingerprint mismatch error. I’ve followed the standard procedure to build a FIPS module using OpenSSL UserGuide 2.0. But not sure what part is missing.

:~$ openssl version
OpenSSL 1.0.2q-fips 20 Nov 2018


:~$  (App version check Output)


error initializing FIPS mode
0:error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:232:



I followed the standard procedure to build the FIPS module. If I try running Openssl commands via FIPS enabled it didn’t give me any errors:

root@haproxyOpenSSLFIPS-02:/home/ubuntu# OPENSSL_FIPS=1 openssl md5 xyz.txt
Error setting digest md5
140197799200408:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:


But if I try via app it initialize to fail due to fingerprint error:
I compiled the app build via following make command:

make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 SSL_INC=/usr/local/ssl/include SSL_LIB=/usr/local/ssl/lib/

Where as FIPS module path is: /usr/local/ssl/fips-2.0

I’m thinking may be issue is at the path end while using make for haproxy (as above ^) but not sure.

Here is ldd haproxy result:

root@haproxyOpenSSLFIPS-02:/home/ubuntu/haproxy-1.9.2# ldd haproxy
linux-vdso.so.1 => (0x00007ffcd331c000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fa12fef2000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fa12fcd8000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fa12fabb000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fa12f8b3000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fa12f6af000)
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fa12f43f000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa12f075000)
/lib64/ld-linux-x86-64.so.2 (0x00007fa13012a000)


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux