You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by ja...@nixsecurity.org on 2010/11/11 20:01:07 UTC
[users@httpd] SSLFIPS Directive
Apache 2.2.17
OpenSSL 0.9.8n FIPS
PHP 5.3.2
libssh2 1.2.6
So, I have a web application where the front-end is Flex/AS3 and the back-end is a mix of PHP/C. PHP is compiled with the libssh2 library and the pecl extension to enable the ssh2 functionality. I use the ssh2 functions within PHP for communication between systems. For instance, the interface allows you to add another product of ours for communication with our primary product. Communication works via SSH, I'm not going to get into the details of that. Anyway, what happens when I introduce the SSLFIPS directive into my httpd.conf, apache child processes are crashing. This happens even if the directive's value is set to off. However, if I don't introduce the directive, everything works as expected.
We are required by government customers to offer FIPS.
[Thu Nov 11 13:50:43 2010] [notice] Operating in SSL FIPS mode
[Thu Nov 11 13:50:43 2010] [error] Init: Skipping generating temporary 512 bit RSA private key in FIPS mode
[Thu Nov 11 13:50:43 2010] [error] Init: Skipping generating temporary 512 bit DH parameters in FIPS mode
[Thu Nov 11 13:50:43 2010] [notice] Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8o-fips configured -- resuming normal operations
digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored
digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored
[Thu Nov 11 13:50:58 2010] [notice] child pid 24913 exit signal Aborted (6)
[Thu Nov 11 13:50:58 2010] [notice] child pid 24915 exit signal Aborted (6)
Any thoughts?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSLFIPS Directive (UNCLASSIFIED)
Posted by Igor Galić <i....@brainsware.org>.
----- "Dwight P CTR DISA PAC Victor" <dw...@disa.mil> wrote:
> Classification: UNCLASSIFIED
> Caveats: NONE
>
> Related?
> http://rt.openssl.org/Ticket/Display.html?id=1278&user=guest&pass=guest
>
> ---
> Dwight Victor (Contractor), CISSP, RHCT, SCSECA
> DISA-PAC EMSS Gateway Hawaii
> EMAIL: dwight.victor.ctr@disa.mil
> TEL: (808) 653-3677 ext 229
>
> -----Original Message-----
> From: james@nixsecurity.org [mailto:james@nixsecurity.org]
> Sent: Thursday, November 11, 2010 9:01 AM
> To: users@httpd.apache.org
> Subject: [users@httpd] SSLFIPS Directive
>
> Apache 2.2.17
> OpenSSL 0.9.8n FIPS
> PHP 5.3.2
> libssh2 1.2.6
>
> So, I have a web application where the front-end is Flex/AS3 and the
> back-end is a mix of PHP/C. PHP is compiled with the libssh2 library
> and the pecl extension to enable the ssh2 functionality. I use the
> ssh2 functions within PHP for communication between systems. For
> instance, the interface allows you to add another product of ours for
> communication with our primary product. Communication works via SSH,
> I'm not going to get into the details of that. Anyway, what happens
> when I introduce the SSLFIPS directive into my httpd.conf, apache
> child processes are crashing. This happens even if the directive's
> value is set to off. However, if I don't introduce the directive,
> everything works as expected.
>
> We are required by government customers to offer FIPS.
>
> [Thu Nov 11 13:50:43 2010] [notice] Operating in SSL FIPS mode
> [Thu Nov 11 13:50:43 2010] [error] Init: Skipping generating temporary
> 512 bit RSA private key in FIPS mode
> [Thu Nov 11 13:50:43 2010] [error] Init: Skipping generating temporary
> 512 bit DH parameters in FIPS mode
> [Thu Nov 11 13:50:43 2010] [notice] Apache/2.2.17 (Unix)
> mod_ssl/2.2.17 OpenSSL/0.9.8o-fips configured -- resuming normal
> operations
> digest.c(151): OpenSSL internal error, assertion failed: Digest update
> previous FIPS forbidden algorithm error ignored
> digest.c(151): OpenSSL internal error, assertion failed: Digest update
> previous FIPS forbidden algorithm error ignored
> [Thu Nov 11 13:50:58 2010] [notice] child pid 24913 exit signal
> Aborted (6)
> [Thu Nov 11 13:50:58 2010] [notice] child pid 24915 exit signal
> Aborted (6)
Can you get us a coredump/back-trace of the children which are dying?
How, exactly, have you compiled/linked the PECL extensions vs mod_ssl?
> Any thoughts?
If all else fails: Run PHP in the backend, and the SSL termination
in a proxy.
i
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] SSLFIPS Directive (UNCLASSIFIED)
Posted by "Victor, Dwight P CTR DISA PAC" <dw...@disa.mil>.
Classification: UNCLASSIFIED
Caveats: NONE
Related? http://rt.openssl.org/Ticket/Display.html?id=1278&user=guest&pass=guest
---
Dwight Victor (Contractor), CISSP, RHCT, SCSECA
DISA-PAC EMSS Gateway Hawaii
EMAIL: dwight.victor.ctr@disa.mil
TEL: (808) 653-3677 ext 229
-----Original Message-----
From: james@nixsecurity.org [mailto:james@nixsecurity.org]
Sent: Thursday, November 11, 2010 9:01 AM
To: users@httpd.apache.org
Subject: [users@httpd] SSLFIPS Directive
Apache 2.2.17
OpenSSL 0.9.8n FIPS
PHP 5.3.2
libssh2 1.2.6
So, I have a web application where the front-end is Flex/AS3 and the back-end is a mix of PHP/C. PHP is compiled with the libssh2 library and the pecl extension to enable the ssh2 functionality. I use the ssh2 functions within PHP for communication between systems. For instance, the interface allows you to add another product of ours for communication with our primary product. Communication works via SSH, I'm not going to get into the details of that. Anyway, what happens when I introduce the SSLFIPS directive into my httpd.conf, apache child processes are crashing. This happens even if the directive's value is set to off. However, if I don't introduce the directive, everything works as expected.
We are required by government customers to offer FIPS.
[Thu Nov 11 13:50:43 2010] [notice] Operating in SSL FIPS mode
[Thu Nov 11 13:50:43 2010] [error] Init: Skipping generating temporary 512 bit RSA private key in FIPS mode
[Thu Nov 11 13:50:43 2010] [error] Init: Skipping generating temporary 512 bit DH parameters in FIPS mode
[Thu Nov 11 13:50:43 2010] [notice] Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8o-fips configured -- resuming normal operations
digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored
digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS forbidden algorithm error ignored
[Thu Nov 11 13:50:58 2010] [notice] child pid 24913 exit signal Aborted (6)
[Thu Nov 11 13:50:58 2010] [notice] child pid 24915 exit signal Aborted (6)
Any thoughts?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Classification: UNCLASSIFIED
Caveats: NONE