Just tested against a CentOS 6 box configured to be in FIPS mode at boot as per
RH's directions and TCN will not start, tossing the same error I saw before in
catalina.out:
Apr 10, 2014 9:01:19 AM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
SEVERE: Failed to initialize the SSLEngine.
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at
org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:269)
at
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:108)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:813)
at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
at org.apache.catalina.startup.Catalina.load(Catalina.java:562)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
Commenting out line 77 (where the 512 bit RSA key is generated) allows TCN to
start and run normally. I don't understand all of the FIPS requirements, but
should execution be allowed to continue if we can generate *any* of the initial
keys rather than requiring all of them? The logic of the macros in lines 68
through 82 wind up causing the SSL_TMP_KEYS_INIT(r) call at line 692 to fire if
any key init fails, rather than seeing if at least one passes.
I did see in the changelog that BZ 56027 is only partially addressed, in that
the fipsModeGet() method is now available.
-Rob
________________________________________
From: Robert Sanders [[email protected]]
Sent: Thursday, April 10, 2014 9:15 AM
To: Tomcat Developers List
Subject: RE: [VOTE] Release Apache Tomcat Native 1.1.30
Is the TCN portion of BZ 56027 address completely or partially with this
release? I see the exposure of the FIPS_mode setting, but it looks like the
temporary 512 bit RSA key is still being done in the SSL_TMP_KEYS_INIT macro
(line 77). When I hacked my workaround eariier this year I had to make sure I
didn't call FIPS_mode_set if it was already set and disable the 512 bit key to
get TCN to spin up correctly.
-Rob
________________________________________
From: Mladen Turk [[email protected]]
Sent: Thursday, April 10, 2014 9:01 AM
To: [email protected]
Subject: Re: [VOTE] Release Apache Tomcat Native 1.1.30
On 04/10/2014 02:56 PM, Ognjen Blagojevic wrote:
>
> Tested with Tomcat 8.0.5, Oracle Java 1.7.0_51 on Windows 7 64-bit.
>
> - Filippo.io [1] reports it is not vulnerable to Heartbleed bug.
>
> - SSLLabs [2] reports it is not vulnerable to Heartbleed bug.
>
> - SSLLabs reports that Forward secrecy is enabled when proper cipher suites
> (including EECDH/ECDHE) are enabled.
>
> - Smoke tests of APR, with and without TLS, all passed.
>
Cool.
Thanks
--
^TM
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
