You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2014/01/17 14:48:54 UTC
[Bug 56027] New: Unable to use TCN on RHEL6 boxes if box is booted
in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
Bug ID: 56027
Summary: Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Product: Tomcat Native
Version: 1.1.29
Hardware: All
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: Library
Assignee: dev@tomcat.apache.org
Reporter: rsanders@trustedcs.com
There are two problems here.
#1) A RHEL6 box can be configured to boot in FIPS 140 mode automatically, and
the underlying openssl packages will detect this when they initialize. If
Tomcat is configured to use the APR listener with 'FIPSMode="on"' set, then the
APRLifecycleListener in initializeSSL calls down to TCN to explicitly do a
fipsModeSet. However, *if* a RHEL box is configured to be in fips mode at boot
then this call will fail in the openssl libraries, where it claims that fips
mode is already set. Looking at the openssl source
(openssl-1.0.0-27.el6.src.rpm) the FIPS_mode_set() call does not allow for
being 'set' more than once. Putting a check in TCN src/ssl.c in the
fipsModeCheck() to see if the mode is already set solves this one.
#2) Second issue is in the SSL_TMP_KEYS_INIT macro (called from the TCN
src/ssl.c initialize() method) looks like it trying to pre-initialize a 512 bit
RSA key. This key appears to be invalid (the underlying ssl_tmp_key_init_rsa()
call fails), and this winds up with the entire initialize code throwoing an
error about this platform having an unsupported function and exiting. Deleting
the 512 RSA init line solves this one.
Not sure the best solution for #2. Discussing with a few folks here indicated
that a 512 bit RSA key is invalid for FIPS mode, so perhaps this call needs to
be wrapped in a 'if (FIPS_Mode()==0)' check. Out of my depth there on the best
solution.
My initial debug wound up exposing the FIPS_Mode() call thru JNI so the
AprLifecycleListner class could check this and display an intelligent message,
but this would involve changes to both TC6/7(/8?) as well as TCN, and may not
be worth that extra involvement.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
--- Comment #14 from Rob Sanders <rs...@trustedcs.com> ---
I remember reading some of the SSL docs that certain key lengths may be invalid
for regular use, they are valid for key agreement/establishment. Quoting from
the somewhat confusing section 2.6.2 of the OpenSSL FIPS140 Userguide (v2.0)
PDF:
===
Algorithms Available in FIPS Mode
Only the algorithms listed in tables 4a and 4b of the Security Policy are
allowed in FIPS mode.
Note that Diffie-Hellman and RSA are allowed in FIPS mode for key agreement and
key establishment even though they are “Non-Approved” for that purpose. RSA for
sign and verify is “Approved” and hence also allowed, along with all the other
Approved algorithms listed in that table
===
Rather than hardcode in TCN what approved keys are, is there a way to ask the
underlying openssl implementation what *it* thinks are acceptable? I don't
have an answer for that. What I did to make things work back in January was
comment out the 512 bit RSA key generation in TCN before building (along with
adding a check to see if FIPS mode was already set).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
--- Comment #3 from Christopher Schultz <ch...@christopherschultz.net> ---
This bug will likely require (at least) two separate patches: one for avoiding
double-entry into FIPS mode, one for changing the key sizes used, and possibly
one for creating a native-wrapper around the FIPS_mode function call so Java
can inspect the current status and take appropriate action.
I think the best situation would be to allow the user to specify more than
simply "on" versus "off" for the FIPSmode configuration attribute: it would be
nice to use something like "on" to enable FIPS mode by calling FIPS_mode_set if
necessary, "require" to require that FIPS mode already be enabled (or throw an
exception and refuse to start the connector), or maybe a third option like
"enter" which would attempt to enter FIPS mode and fail if FIPS mode were
already enabled (this is the current behavior).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
--- Comment #7 from Rob Sanders <rs...@trustedcs.com> ---
Concur on comment 3 - had dueling edits going on.
For our customer at the moment I'm implementing the TCN only fix. Once the
next TC6 and TCN releases are out we'll move to them.
Thanks Chris.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
--- Comment #17 from Konstantin Kolinko <kn...@gmail.com> ---
Follow-ups in Tomcat 8 in r1590300 r1590339 (8.0.6), r1590340 (7.0.54).
Updated patch was proposed for Tomcat 6.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
Christopher Schultz <ch...@christopherschultz.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #31226|0 |1
is obsolete| |
--- Comment #11 from Christopher Schultz <ch...@christopherschultz.net> ---
Created attachment 31406
--> https://issues.apache.org/bugzilla/attachment.cgi?id=31406&action=edit
Patch against Tomcat trunk
Updated patch with improved documentation and a small bug fix for ensuring that
FIPS mode was successfully entered.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
Konstantin Kolinko <kn...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #18 from Konstantin Kolinko <kn...@gmail.com> ---
Fixed in Tomcat 6 by r1593696 and will be in 6.0.40.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
--- Comment #6 from Christopher Schultz <ch...@christopherschultz.net> ---
Added fipsModeGet JNI implementation in both tcnative trunk and tcnative 1.1.x
branch. Will be in tcnative 1.1.30.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
--- Comment #9 from Ben Mason <be...@viasat.com> ---
(In reply to Christopher Schultz from comment #8)
> Created attachment 31226 [details]
> Proposed patch against Tomcat-trunk
>
> Feel free to adapt this patch for Tomcat 6.
Chris-
I am having the same issue as I need to boot my SLES 11 box in FIPS mode. I am
using Tomcat 7.0.52. Can you tell in which, if any, Tomcat 7 release this patch
will be included?
Thanks.
-Ben
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
--- Comment #10 from Christopher Schultz <ch...@christopherschultz.net> ---
We need a tcnative release before Tomcat itself can be patched.
If you grab the current tcnative 1.1.x branch, it will have what you need. If
you then apply this patch to 7.0.52 (which is quite easy to re-compile
yourself, actually) and deploy the two, you should be good to go.
I'm about to update the Java patch a bit to fix a minor bug and to address some
of the concerns raised by some other devs. You might want to apply the new
patch instead.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
--- Comment #16 from Christopher Schultz <ch...@christopherschultz.net> ---
Fixed in Tomcat trunk in r1587378, r1587379, and r1587723. Will be included in
Tomcat 8.0.6 and later.
Fixed in Tomcat 7.0 branch in r1587378, r1587661, and r1587734. Will be
included in Tomcat 7.0.54 and later.
Proposed for Tomcat 6.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
RE: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted
in fips mode
Posted by Robert Sanders <rs...@TrustedCS.com>.
Just double checked - error appears to be on my side. I stood up a pristine CentOS 6.5 box with Tomcat 6.0.41/TCN1.1.30 in FIPS mode and it fails to start. Manually applying the bugfix as suggested in bug 56396 does work. My apologies for flagging this as working earlier in this thread.
I think there was some debris from testing that actually made things work when I tried to verify this earlier.
-R
________________________________________
From: Robert Sanders [rsanders@TrustedCS.com]
Sent: Wednesday, July 02, 2014 10:42 AM
To: Tomcat Developers List
Subject: RE: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
Now I'm confused. When Mladen posted his patch against bug 56396 I'd pulled that code and tested it and it worked. So I thought it would be in TCN 1.1.30. But when I look at TCNative 1.1.30 (included in Tomcat 6.0.41) I don't see that code, and without it my tests should have failed.
So it looks like I not only messed up my testing against bug 56396 (pulled wrong code?), but also must have done something wrong when testing 6.0.41 with the included tcn1.1.30 last week.
Let me see if I can figure out what I did wrong.
-R
________________________________________
From: bugzilla@apache.org [bugzilla@apache.org]
Sent: Wednesday, July 02, 2014 10:26 AM
To: dev@tomcat.apache.org
Subject: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
--- Comment #22 from Konstantin Kolinko <kn...@gmail.com> ---
(In reply to Ben Mason from comment #21)
> Is this the key length issue? It is
> unclear in this thread whether that was ever fixed. Rob Sanders said he
> filed another bug, but it appears it was deleted.
Key length issue is bug 56396, should be fixed in TCNative 1.1.31. (r1587896)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
RE: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted
in fips mode
Posted by Robert Sanders <rs...@TrustedCS.com>.
Now I'm confused. When Mladen posted his patch against bug 56396 I'd pulled that code and tested it and it worked. So I thought it would be in TCN 1.1.30. But when I look at TCNative 1.1.30 (included in Tomcat 6.0.41) I don't see that code, and without it my tests should have failed.
So it looks like I not only messed up my testing against bug 56396 (pulled wrong code?), but also must have done something wrong when testing 6.0.41 with the included tcn1.1.30 last week.
Let me see if I can figure out what I did wrong.
-R
________________________________________
From: bugzilla@apache.org [bugzilla@apache.org]
Sent: Wednesday, July 02, 2014 10:26 AM
To: dev@tomcat.apache.org
Subject: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
--- Comment #22 from Konstantin Kolinko <kn...@gmail.com> ---
(In reply to Ben Mason from comment #21)
> Is this the key length issue? It is
> unclear in this thread whether that was ever fixed. Rob Sanders said he
> filed another bug, but it appears it was deleted.
Key length issue is bug 56396, should be fixed in TCNative 1.1.31. (r1587896)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
--- Comment #22 from Konstantin Kolinko <kn...@gmail.com> ---
(In reply to Ben Mason from comment #21)
> Is this the key length issue? It is
> unclear in this thread whether that was ever fixed. Rob Sanders said he
> filed another bug, but it appears it was deleted.
Key length issue is bug 56396, should be fixed in TCNative 1.1.31. (r1587896)
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
--- Comment #15 from Rob Sanders <rs...@trustedcs.com> ---
As per request I've filed a new bug for the failure to init the RSA 512 bit
temporary key (https://issues.apache.org/bugzilla/show_bug.cgi?id=56396).
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
--- Comment #8 from Christopher Schultz <ch...@christopherschultz.net> ---
Created attachment 31226
--> https://issues.apache.org/bugzilla/attachment.cgi?id=31226&action=edit
Proposed patch against Tomcat-trunk
Feel free to adapt this patch for Tomcat 6.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
Christopher Schultz <ch...@christopherschultz.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|major |normal
--- Comment #2 from Christopher Schultz <ch...@christopherschultz.net> ---
I'm putting this back to "normal". While your customer may consider this
high-priority, and while one of the Tomcat team may fix this quickly, "major"
would probably be considered a bug that would require an immediate
fix-and-release.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
--- Comment #5 from Christopher Schultz <ch...@christopherschultz.net> ---
(In reply to Rob Sanders from comment #4)
> Proposed fix - in TCN src/ssl.c fipsModeSet() routine, call FIPS_mode()
> before calling FIPS_mode_set() to see if we're already in fips mode. If so,
> just return 1, otherwise attempt to set to FIPS mode.
See my comment above for the behavior I'd like to see, which is incompatible
with this proposal.
> There is no way that
> I know of to get an intelligent message back through the JNI without other
> changes, so if a status messages of "Already in FIPS mode" would be
> desirable the FIPS_mode() routine will need to be exposed through JNI and
> checked from the AprLifecycleListener code before calling fipsModeSet.
This was my plan.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
--- Comment #12 from Ben Mason <be...@viasat.com> ---
(In reply to Christopher Schultz from comment #10)
> We need a tcnative release before Tomcat itself can be patched.
>
> If you grab the current tcnative 1.1.x branch, it will have what you need.
> If you then apply this patch to 7.0.52 (which is quite easy to re-compile
> yourself, actually) and deploy the two, you should be good to go.
>
> I'm about to update the Java patch a bit to fix a minor bug and to address
> some of the concerns raised by some other devs. You might want to apply the
> new patch instead.
Thanks, Chris. I can surely do that. However, that will not fix problem #2,
correct? I am seeing that on SLES 11 as well. Do you need someone to contribute
a fix for #2, or is someone working on that?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
--- Comment #13 from Christopher Schultz <ch...@christopherschultz.net> ---
(In reply to Ben Mason from comment #12)
> ...that will not fix problem #2,
> correct? I am seeing that on SLES 11 as well. Do you need someone to
> contribute a fix for #2, or is someone working on that?
I'm out of my element, there. If you've got a proposal and are willing to work
on a patch, please do so. The assertion that 512-bit RSA is not valid for FIPS
mode certainly seems reasonable. AFAIK, there's nothing in FIPS that
established an *upper* limit on key size, or that the implementation must
actually use clearly inferior algorithms.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
--- Comment #1 from Rob Sanders <rs...@trustedcs.com> ---
Marked as major due to a customer requirement to have their RHEL6 boxes running
in FIPS mode at boot. They are temporarily relaxing this while we have worked
on determining the problem.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
--- Comment #20 from Christopher Schultz <ch...@christopherschultz.net> ---
I believe the "SSL2 MD5" routines problem is different from this issue, which
was to allow Tomcat to start up with OpenSSL already in FIPS mode (e.g. don't
choke and die if we're already in FIPS mode).
Next, Tomcat tries to initialize the SSL endpoint with a list of ciphers and I
think it request too many ciphers (and violates FIPS requirements). I'm not
sure why this fails when already in FIPS mode versus working when explicitly
entering FIPS mode first. I thought this failure had been reported elewhere but
I can't seem to find the reference right now.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
Simon Mijolovic <sm...@nutanix.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |smijolovic@nutanix.com
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
--- Comment #4 from Rob Sanders <rs...@trustedcs.com> ---
Looking at the openssl source for my box a double call to FIPS_mode_set to
*enable* FIPS triggers an error - including setting the internal
fips_selftest_fail flag to 1 indicating a failure.
Understood on the severity change - somewhat surprised that I can't find any
real reports of this failure in general web searches or on RH's pages.
Some additional comments...
Looking for a boot entry does appear to be a RHEL 'addition', but the source
also indicates you can set an environment variable to accomplish the same thing
(OPENSSL_FORCE_FIPS_MODE). This is in the source code of crypto/o_init.c (after
applying RH patches). The /proc/sys/crypto/fips_enabled trigger file is
checked in this file also.
Looking deeper at the AprLifecycleListener initializeSSL code it does call the
TCN SSL.initialize code, which drops down into some of the openssl calls that
look like bounce through the various init routines including the code in
o_init.c that does the FIPS startup. So *if* the underlying platform has the
fs/env check a call to FIPS_Mode() prior to calling FIPS_mode_set() in TCN
fipsModeSet() should detect this.
Proposed fix - in TCN src/ssl.c fipsModeSet() routine, call FIPS_mode() before
calling FIPS_mode_set() to see if we're already in fips mode. If so, just
return 1, otherwise attempt to set to FIPS mode. There is no way that I know
of to get an intelligent message back through the JNI without other changes, so
if a status messages of "Already in FIPS mode" would be desirable the
FIPS_mode() routine will need to be exposed through JNI and checked from the
AprLifecycleListener code before calling fipsModeSet.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
RE: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted
in fips mode
Posted by Robert Sanders <rs...@TrustedCS.com>.
I tested TCN 1_1_30 with Tomcat 6 (which our app uses) and everything appears to work just fine. I haven't updated our install to try working with Tomcat 7. This is on a CentOS 6.5 (yum updated) box with fips mode enabled at boot, and a server.xml similar to yours.
Just looking quickly at your log I'm concerned about the 'Failed to initialize the SSLEngine' message near the beginning. As I recall I use to see this if I explictly tried to initialize the SSL Engine twice - which openssl throws an exception on.
-R
________________________________________
From: bugzilla@apache.org [bugzilla@apache.org]
Sent: Wednesday, June 25, 2014 12:56 PM
To: dev@tomcat.apache.org
Subject: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
Simon Mijolovic <sm...@nutanix.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Version|1.1.29 |1.1.30
Resolution|FIXED |---
--- Comment #19 from Simon Mijolovic <sm...@nutanix.com> ---
Still running into this issue where the APR library won't load when in fips
mode using the FIPS validated OpenSSL library.
CentOS 6.5 with OpenSSL 1.0.1e-16..el6_5.x86_64, and /boot/grub/grub.conf has
fips=1 (prelink disabled, dracut -f, reboot shows "cat
/proc/sys/crypto/fips_enabled" = 1)
Tomcat 7.0.54 running, and compiled the tcnative APR lib with:
./configure --with-apr=`which apr-1-config`
--with-java-home=/usr/java/jdk1.8.0_05 --with-ssl=yes
--prefix=/usr/share/apache-tomcat-7.0.54
Setenv.sh:
#!/bin/bash
umask 0026
LD_LIBRARY_PATH=/usr/share/apache-tomcat-7.0.54/lib:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH
Server.xml:
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
Connector.xml:
<Connector
clientAuth="false"
port="9443"
protocol="HTTP/1.1"
SSLEnabled="true"
scheme="https"
secure="true"
SSLCertificateFile="/etc/private/rsacert.pem"
SSLCertificateKeyFile="/etc/private/rsakey.pem"
SSLCipherSuite="ECDH+AESGCM:ECDH+AES256:ECDH+AES128:RSA+AES:!aNULL:!MD5:!DSS"
SSLDisableCompression="true"
SSLHonorCipherOrder="true"
SSLVerifyClient="optional"
SSLProtocol="TLSv1"
server="Prism Server"
connectionTimeout="60000"
keepAliveTimeout="60000"
maxKeepAliveRequests="100"
maxThreads="150"
maxPostSize="2097152"
maxHeaderCount="50"
maxHttpHeaderSize="8190"
allowTrace="false"
/>
Starting services:
service tomcat start
Using CATALINA_BASE: /usr/share/apache-tomcat-7.0.54
Using CATALINA_HOME: /usr/share/apache-tomcat-7.0.54
Using CATALINA_TMPDIR: /usr/share/apache-tomcat-7.0.54/temp
Using JRE_HOME: /usr/java/jdk1.8.0_05/jre
Using CLASSPATH:
/usr/share/apache-tomcat-7.0.54/bin/bootstrap.jar:/usr/share/apache-tomcat-7.0.54/bin/tomcat-juli.jar
Tomcat started.
logs/catalina.2014-06-12.log:
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version
1.3.9.
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
random [true
].
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
SEVERE: Failed to initialize the SSLEngine.
org.apache.tomcat.jni.Error: 70023: This function has not been implemented on
this platform
at org.apache.tomcat.jni.SSL.initialize(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at
org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListene
r.java:270)
at
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListen
er.java:124)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.j
ava:117)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90
)
at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Jun 12, 2014 1:30:20 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-9443"]
Jun 12, 2014 1:30:20 PM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler
["http-apr-9443"]
java.lang.Exception: Unable to create SSLContext. Check that SSLEngine is
enabled in the AprLifecycleListener, the AprLifecycleListener has initialised
correctly and that a valid SSLProtocol has been specified
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:503)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: java.lang.Exception: Invalid Server SSL Protocol (error:140A90F1:SSL
routines:SSL_CTX_new:unable to load ssl2 md5 routines)
at org.apache.tomcat.jni.SSLContext.make(Native Method)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:498)
... 16 more
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-9443]]
org.apache.catalina.LifecycleException: Failed to initialize component
[Connector[HTTP/1.1
-9443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
... 12 more
Caused by: java.lang.Exception: Unable to create SSLContext. Check that
SSLEngine is enabled in the AprLifecycleListener, the AprLifecycleListener has
initialised correctly and that a valid SSLProtocol has been specified
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:503)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
... 13 more
Caused by: java.lang.Exception: Invalid Server SSL Protocol (error:140A90F1:SSL
routines:SSL_CTX_new:unable to load ssl2 md5 routines)
at org.apache.tomcat.jni.SSLContext.make(Native Method)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:498)
... 16 more
When I remove fips=1 from grub.conf, reboot, and add FIPSMode="on" to the
AprLifecycleListener in server.xml, the Engine works and FIPSMode shows it's
set to "on". What is up with the OpenSSL library with the kernel running in
FIPS mode that keeps displaying the error: java.lang.Exception: Invalid Server
SSL Protocol (error:140A90F1:SSL routines:SSL_CTX_new:unable to load ssl2 md5
routines)?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
Simon Mijolovic <sm...@nutanix.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Version|1.1.29 |1.1.30
Resolution|FIXED |---
--- Comment #19 from Simon Mijolovic <sm...@nutanix.com> ---
Still running into this issue where the APR library won't load when in fips
mode using the FIPS validated OpenSSL library.
CentOS 6.5 with OpenSSL 1.0.1e-16..el6_5.x86_64, and /boot/grub/grub.conf has
fips=1 (prelink disabled, dracut -f, reboot shows "cat
/proc/sys/crypto/fips_enabled" = 1)
Tomcat 7.0.54 running, and compiled the tcnative APR lib with:
./configure --with-apr=`which apr-1-config`
--with-java-home=/usr/java/jdk1.8.0_05 --with-ssl=yes
--prefix=/usr/share/apache-tomcat-7.0.54
Setenv.sh:
#!/bin/bash
umask 0026
LD_LIBRARY_PATH=/usr/share/apache-tomcat-7.0.54/lib:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH
Server.xml:
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
Connector.xml:
<Connector
clientAuth="false"
port="9443"
protocol="HTTP/1.1"
SSLEnabled="true"
scheme="https"
secure="true"
SSLCertificateFile="/etc/private/rsacert.pem"
SSLCertificateKeyFile="/etc/private/rsakey.pem"
SSLCipherSuite="ECDH+AESGCM:ECDH+AES256:ECDH+AES128:RSA+AES:!aNULL:!MD5:!DSS"
SSLDisableCompression="true"
SSLHonorCipherOrder="true"
SSLVerifyClient="optional"
SSLProtocol="TLSv1"
server="Prism Server"
connectionTimeout="60000"
keepAliveTimeout="60000"
maxKeepAliveRequests="100"
maxThreads="150"
maxPostSize="2097152"
maxHeaderCount="50"
maxHttpHeaderSize="8190"
allowTrace="false"
/>
Starting services:
service tomcat start
Using CATALINA_BASE: /usr/share/apache-tomcat-7.0.54
Using CATALINA_HOME: /usr/share/apache-tomcat-7.0.54
Using CATALINA_TMPDIR: /usr/share/apache-tomcat-7.0.54/temp
Using JRE_HOME: /usr/java/jdk1.8.0_05/jre
Using CLASSPATH:
/usr/share/apache-tomcat-7.0.54/bin/bootstrap.jar:/usr/share/apache-tomcat-7.0.54/bin/tomcat-juli.jar
Tomcat started.
logs/catalina.2014-06-12.log:
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version
1.3.9.
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
random [true
].
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
SEVERE: Failed to initialize the SSLEngine.
org.apache.tomcat.jni.Error: 70023: This function has not been implemented on
this platform
at org.apache.tomcat.jni.SSL.initialize(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at
org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListene
r.java:270)
at
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListen
er.java:124)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.j
ava:117)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90
)
at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Jun 12, 2014 1:30:20 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-apr-9443"]
Jun 12, 2014 1:30:20 PM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler
["http-apr-9443"]
java.lang.Exception: Unable to create SSLContext. Check that SSLEngine is
enabled in the AprLifecycleListener, the AprLifecycleListener has initialised
correctly and that a valid SSLProtocol has been specified
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:503)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: java.lang.Exception: Invalid Server SSL Protocol (error:140A90F1:SSL
routines:SSL_CTX_new:unable to load ssl2 md5 routines)
at org.apache.tomcat.jni.SSLContext.make(Native Method)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:498)
... 16 more
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-9443]]
org.apache.catalina.LifecycleException: Failed to initialize component
[Connector[HTTP/1.1
-9443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
... 12 more
Caused by: java.lang.Exception: Unable to create SSLContext. Check that
SSLEngine is enabled in the AprLifecycleListener, the AprLifecycleListener has
initialised correctly and that a valid SSLProtocol has been specified
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:503)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
... 13 more
Caused by: java.lang.Exception: Invalid Server SSL Protocol (error:140A90F1:SSL
routines:SSL_CTX_new:unable to load ssl2 md5 routines)
at org.apache.tomcat.jni.SSLContext.make(Native Method)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:498)
... 16 more
When I remove fips=1 from grub.conf, reboot, and add FIPSMode="on" to the
AprLifecycleListener in server.xml, the Engine works and FIPSMode shows it's
set to "on". What is up with the OpenSSL library with the kernel running in
FIPS mode that keeps displaying the error: java.lang.Exception: Invalid Server
SSL Protocol (error:140A90F1:SSL routines:SSL_CTX_new:unable to load ssl2 md5
routines)?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in
fips mode
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027
--- Comment #21 from Ben Mason <be...@viasat.com> ---
I am still getting this error as well. Is this the key length issue? It is
unclear in this thread whether that was ever fixed. Rob Sanders said he filed
another bug, but it appears it was deleted.
(In reply to Christopher Schultz from comment #20)
> I believe the "SSL2 MD5" routines problem is different from this issue,
> which was to allow Tomcat to start up with OpenSSL already in FIPS mode
> (e.g. don't choke and die if we're already in FIPS mode).
>
> Next, Tomcat tries to initialize the SSL endpoint with a list of ciphers and
> I think it request too many ciphers (and violates FIPS requirements). I'm
> not sure why this fails when already in FIPS mode versus working when
> explicitly entering FIPS mode first. I thought this failure had been
> reported elewhere but I can't seem to find the reference right now.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org