[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://bz.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #24 from Christopher Schultz --- (In reply to Ben Mason from comment #21) > I am still getting this error as well. Is this the key length issue? It is > unclear in this thread whether that was ever

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://bz.apache.org/bugzilla/show_bug.cgi?id=56027 Mark Thomas changed: What|Removed |Added Status|REOPENED|RESOLVED

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #21 from Ben Mason ben.ma...@viasat.com --- I am still getting this error as well. Is this the key length issue? It is unclear in this thread whether that was ever fixed. Rob Sanders said he filed another bug, but it appears it

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #22 from Konstantin Kolinko knst.koli...@gmail.com --- (In reply to Ben Mason from comment #21) Is this the key length issue? It is unclear in this thread whether that was ever fixed. Rob Sanders said he filed another bug,

RE: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

Now I'm confused. When Mladen posted his patch against bug 56396 I'd pulled that code and tested it and it worked. So I thought it would be in TCN 1.1.30. But when I look at TCNative 1.1.30 (included in Tomcat 6.0.41) I don't see that code, and without it my tests should have failed. So it

RE: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

Just double checked - error appears to be on my side. I stood up a pristine CentOS 6.5 box with Tomcat 6.0.41/TCN1.1.30 in FIPS mode and it fails to start. Manually applying the bugfix as suggested in bug 56396 does work. My apologies for flagging this as working earlier in this thread. I

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #20 from Christopher Schultz ch...@christopherschultz.net --- I believe the SSL2 MD5 routines problem is different from this issue, which was to allow Tomcat to start up with OpenSSL already in FIPS mode (e.g. don't choke and

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 Simon Mijolovic smijolo...@nutanix.com changed: What|Removed |Added Status|RESOLVED|REOPENED

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 Simon Mijolovic smijolo...@nutanix.com changed: What|Removed |Added CC|

RE: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

I tested TCN 1_1_30 with Tomcat 6 (which our app uses) and everything appears to work just fine. I haven't updated our install to try working with Tomcat 7. This is on a CentOS 6.5 (yum updated) box with fips mode enabled at boot, and a server.xml similar to yours. Just looking quickly at

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 Konstantin Kolinko knst.koli...@gmail.com changed: What|Removed |Added Status|NEW

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #17 from Konstantin Kolinko knst.koli...@gmail.com --- Follow-ups in Tomcat 8 in r1590300 r1590339 (8.0.6), r1590340 (7.0.54). Updated patch was proposed for Tomcat 6. -- You are receiving this mail because: You are the

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #16 from Christopher Schultz ch...@christopherschultz.net --- Fixed in Tomcat trunk in r1587378, r1587379, and r1587723. Will be included in Tomcat 8.0.6 and later. Fixed in Tomcat 7.0 branch in r1587378, r1587661, and r1587734.

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #15 from Rob Sanders rsand...@trustedcs.com --- As per request I've filed a new bug for the failure to init the RSA 512 bit temporary key (https://issues.apache.org/bugzilla/show_bug.cgi?id=56396). -- You are receiving this

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #13 from Christopher Schultz ch...@christopherschultz.net --- (In reply to Ben Mason from comment #12) ...that will not fix problem #2, correct? I am seeing that on SLES 11 as well. Do you need someone to contribute a fix for

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #14 from Rob Sanders rsand...@trustedcs.com --- I remember reading some of the SSL docs that certain key lengths may be invalid for regular use, they are valid for key agreement/establishment. Quoting from the somewhat

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #10 from Christopher Schultz ch...@christopherschultz.net --- We need a tcnative release before Tomcat itself can be patched. If you grab the current tcnative 1.1.x branch, it will have what you need. If you then apply this

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 Christopher Schultz ch...@christopherschultz.net changed: What|Removed |Added Attachment #31226|0

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #12 from Ben Mason ben.ma...@viasat.com --- (In reply to Christopher Schultz from comment #10) We need a tcnative release before Tomcat itself can be patched. If you grab the current tcnative 1.1.x branch, it will have what

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #9 from Ben Mason ben.ma...@viasat.com --- (In reply to Christopher Schultz from comment #8) Created attachment 31226 [details] Proposed patch against Tomcat-trunk Feel free to adapt this patch for Tomcat 6. Chris- I am

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #1 from Rob Sanders rsand...@trustedcs.com --- Marked as major due to a customer requirement to have their RHEL6 boxes running in FIPS mode at boot. They are temporarily relaxing this while we have worked on determining the

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 Christopher Schultz ch...@christopherschultz.net changed: What|Removed |Added Severity|major

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #3 from Christopher Schultz ch...@christopherschultz.net --- This bug will likely require (at least) two separate patches: one for avoiding double-entry into FIPS mode, one for changing the key sizes used, and possibly one for

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #5 from Christopher Schultz ch...@christopherschultz.net --- (In reply to Rob Sanders from comment #4) Proposed fix - in TCN src/ssl.c fipsModeSet() routine, call FIPS_mode() before calling FIPS_mode_set() to see if we're

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #4 from Rob Sanders rsand...@trustedcs.com --- Looking at the openssl source for my box a double call to FIPS_mode_set to *enable* FIPS triggers an error - including setting the internal fips_selftest_fail flag to 1 indicating a

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #6 from Christopher Schultz ch...@christopherschultz.net --- Added fipsModeGet JNI implementation in both tcnative trunk and tcnative 1.1.x branch. Will be in tcnative 1.1.30. -- You are receiving this mail because: You are

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #7 from Rob Sanders rsand...@trustedcs.com --- Concur on comment 3 - had dueling edits going on. For our customer at the moment I'm implementing the TCN only fix. Once the next TC6 and TCN releases are out we'll move to them.

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #8 from Christopher Schultz ch...@christopherschultz.net --- Created attachment 31226 -- https://issues.apache.org/bugzilla/attachment.cgi?id=31226action=edit Proposed patch against Tomcat-trunk Feel free to adapt this patch