ActiveMQ-cpp problem in an app that has set openssl FIPS mode

[Steve McKenna <st...@clearswift.com>]

Has anyone successfully used activemq-cpp with an SSL connection in an
application that has set FIPS mode in the openssl library?

I have a C++ application that uses activemq-cpp (3.8.1) to communicate with
a remote broker. This application works perfectly until it is restarted in
FIPS mode. In FIPS mode it fails to communicate with the remote broker,
returning the error "Channel was inactive for too long". The broker logging
shows it receives no requests from the client.

Here is all of the client command and tcp trace logging when in FIPS mode..

SEND: WireFormatInfo { commandId = 0, responseRequired = false, Magic = [
Version = 6, StackTraceEnabled = true, TcpNoDelayEnabled = true,
CacheEnabled = false, CacheSize = 1024, TightEncodingEnabled = true,
SizePrefixDisabled = false, MaxInactivityDuration = 30000,
MaxInactivityDuration = 10000 }
INFO: TCP Trace: Writing:
[0000 00d9 0141 6374 6976 654d 5100 0000 0601 0000 00c7 0000 0008 000c 4361
6368 6545 6e61 626c 6564 0100 0009 4361 6368 6553 697a 6505 0000 0400 0015
4d61 7849 6e61 6374 6976 6974 7944 7572 6174 696f 6e06 0000 0000 0000 7530
0020 4d61 7849 6e61 6374 6976 6974 7944 7572 6174 696f 6e49 6e69 7461 6c44
656c 6179 0600 0000 0000 0027 1000 1253 697a 6550 7265 6669 7844 6973 6162
6c65 6401 0000 1153 7461 636b 5472 6163 6545 6e61 626c 6564 0101 0011 5463
704e 6f44 656c 6179 456e 6162 6c65 6401 0100 1454 6967 6874 456e 636f 6469
6e67 456e 6162 6c65 6401 01] len: 221 bytes - tid: -1217781504
INFO: TCP Trace: Writing:
[00] len: 1 bytes - tid: -1217781504
INFO: TCP Trace: Writing:
[0000 00d9 0141 6374 6976 654d 5100 0000 0601 0000 00c7 0000 0008 000c 4361
6368 6545 6e61 626c 6564 0100 0009 4361 6368 6553 697a 6505 0000 0400 0015
4d61 7849 6e61 6374 6976 6974 7944 7572 6174 696f 6e06 0000 0000 0000 7530
0020 4d61 7849 6e61 6374 6976 6974 7944 7572 6174 696f 6e49 6e69 7461 6c44
656c 6179 0600 0000 0000 0027 1000 1253 697a 6550 7265 6669 7844 6973 6162
6c65 6401 0000 1153 7461 636b 5472 6163 6545 6e61 626c 6564 0101 0011 5463
704e 6f44 656c 6179 456e 6162 6c65 6401 0100 1454 6967 6874 456e 636f 6469
6e67 456e 6162 6c65 6401 01] len: 221 bytes - tid: -1217781504
INFO: TCP Trace: Writing:
[00] len: 1 bytes - tid: -1217781504
INFO: TCP Trace: Writing:
[0000 00d9 0141 6374 6976 654d 5100 0000 0601 0000 00c7 0000 0008 000c 4361
6368 6545 6e61 626c 6564 0100 0009 4361 6368 6553 697a 6505 0000 0400 0015
4d61 7849 6e61 6374 6976 6974 7944 7572 6174 696f 6e06 0000 0000 0000 7530
0020 4d61 7849 6e61 6374 6976 6974 7944 7572 6174 696f 6e49 6e69 7461 6c44
656c 6179 0600 0000 0000 0027 1000 1253 697a 6550 7265 6669 7844 6973 6162
6c65 6401 0000 1153 7461 636b 5472 6163 6545 6e61 626c 6564 0101 0011 5463
704e 6f44 656c 6179 456e 6162 6c65 6401 0100 1454 6967 6874 456e 636f 6469
6e67 456e 6162 6c65 6401 01] len: 221 bytes - tid: -1217781504
INFO: TCP Trace: Writing:
[00] len: 1 bytes - tid: -1217781504

To work in FIPS mode the application simply FIPS mode in the openssl 1.0.1d
library. Because openssl has FIPS mode enabled, any code in the application
that uses openssl functions will be invoking the openssl functions in FIPS
mode. Hence when the application calls activemq-cpp any of activemq-cpp's
code that uses openssl library calls will be using openssl in FIPS mode. And
of course any openssl usage in libraries called by activemq-cpp (eg the
Apache Runtime Library) will also be in FIPS mode. 

Any non-compliant calls to openssl functions will fail, and my experience to
date with this type of failure is that the openssl library writes out a
message to stdout/stderr that can be seen in strace(1) logging.
Unfortunately strace(1) logging from the application in FIPS mode shows
absolutely no error messages from the openssl library. 



--
View this message in context: http://activemq.2283324.n4.nabble.com/ActiveMQ-cpp-problem-in-an-app-that-has-set-openssl-FIPS-mode-tp4674617.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.