https://issues.apache.org/bugzilla/show_bug.cgi?id=55113
Bug ID: 55113
Summary: FIPS-compatible OpenSSL fails fingerprint test in
TCNative with FIPS mode on
Product: Tomcat Native
Version: 1.1.27
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Library
Assignee: dev@tomcat.apache.org
Reporter: snick...@ipswitch.com
Using the tcnative library compiled against a FIPS-compatible build of OpenSSL
on Windows results in a FIPS fingerprint error when the FIPSMode attribute in
the AprLifecycleListener's Listener element in server.xml is set to "on". As a
result, Tomcat fails to start.
When the attribute is set to "off", no errors occur, Tomcat starts up
successfully, and SSL services perform normally.
The error that results in the catalina log file is:
SEVERE: Failed to initialize the SSLEngine.
java.lang.Exception: error:2D06B06F:FIPS
routines:FIPS_check_incore_fingerprint:fingerprint does not match
The problem appears to be that during startup, Tomcat's copy of the OpenSSL
library libeay32.dll gets rebased from its desired memory address (by default,
0xFB00000) to a different address. Normally this wouldn't be an issue, but when
operating in FIPS mode, the library executes a hash of itself which fails if it
is not at its expected address. (See
http://www.openssl.org/docs/fips/UserGuide-2.0.pdf, page 44.)
This was determined by using Process Explorer to examine the tomcat7.exe
process following a successful startup of Tomcat with FIPSMode set to "off".
The libeay32.dll library in that process displayed an "Image Base" address of
0xFB00000, indicating its desired base memory address, an a "Base" address of
0x63E20000 (or something else on other servers), indicating the actual base
memory address being used for the library.
Additionally, the same procedure was used on a copy of the openssl.exe utility
program, which successfully used FIPS mode with the same library used above. In
that case, Process Explorer showed that the openssl.exe process' copy of
libeay32.dll had the same value for the "Image Base" and "Base" addresses.
Working around this problem involved recompiling the OpenSSL library to request
a different base memory address. (I used 0x6FB00000.)
Would it be possible to determine why, during startup, the libeay32.dll
module's base memory address is being changed from the one it expects, and fix
the problem? If not, it will need to be documented that in order to use a
FIPS-compatible build of OpenSSL with TCNative in FIPS mode, the OpenSSL
library will need to be recompiled with an alternate base memory address
specified. (See the above PDF page for instructions for how to do so.)
This issue was experienced using Tomcat 7.0.32, tcnative 1.1.27, APR 1.4.6, and
OpenSSL 1.0.1c with FIPS module 2.0.4, all on Windows Server 2008.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
