[Bug 60943] New: mod_ssl enables all of OpenSSL's built-in engines, even when in FIPS mode.

[bu...@apache.org]

https://bz.apache.org/bugzilla/show_bug.cgi?id=60943

            Bug ID: 60943
           Summary: mod_ssl enables all of OpenSSL's built-in engines,
                    even when in FIPS mode.
           Product: Apache httpd-2
           Version: 2.4.25
          Hardware: PC
                OS: FreeBSD
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: stephen_wall@redcom.com
  Target Milestone: ---

FreeBSD (and OpenBSD) provide(s) a crypto accelerator device, /dev/crypto, for
which OpenSSL builds a built-in engine.

Apache's mod_ssl calls ENGINE_load_builtin_engines() as part of its startup,
resulting in that engine being active. For RSA operations, that engine calls
some OpenSSL internal RSA functions.  Those functions are not the FIPS
certified ones, resulting in a failure if FIPS has been enabled.  This means
Apache will reject all connections until it is reconfigured, either without
FIPS enabled, or with an EC certificate.

While I believe that the OpenSSL cryptodev engine should not be calling those
functions, I don't think mod_ssl should be arbitrarily enabling all the
built-in engines, even when FIPS mode has been turned on, since it has no
knowledge of whether those engines are FIPS certified.  Either don't call
ENGINE_load_builtin_engines() when in FIPS mode, or add a configuration option
that allows users to choose for themselves whether or not
ENGINE_load_builtin_engines() is called.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org