[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://bz.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #24 from Christopher Schultz--- (In reply to Ben Mason from comment #21) > I am still getting this error as well. Is this the key length issue? It is > unclear in this thread whether that was ever fixed. Rob Sanders said he > filed another bug, but it appears it was deleted. Just a note for archival purposes: the bug referenced above was certainly NOT deleted. It was CLOSED FIXED. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://bz.apache.org/bugzilla/show_bug.cgi?id=56027 Mark Thomaschanged: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |FIXED --- Comment #23 from Mark Thomas --- This should no longer be an issue in 1.2.x. The fips mode setting has been fixed. SSL_TMP_KEYS_INIT does not exist in 1.2.x. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #21 from Ben Mason ben.ma...@viasat.com --- I am still getting this error as well. Is this the key length issue? It is unclear in this thread whether that was ever fixed. Rob Sanders said he filed another bug, but it appears it was deleted. (In reply to Christopher Schultz from comment #20) I believe the SSL2 MD5 routines problem is different from this issue, which was to allow Tomcat to start up with OpenSSL already in FIPS mode (e.g. don't choke and die if we're already in FIPS mode). Next, Tomcat tries to initialize the SSL endpoint with a list of ciphers and I think it request too many ciphers (and violates FIPS requirements). I'm not sure why this fails when already in FIPS mode versus working when explicitly entering FIPS mode first. I thought this failure had been reported elewhere but I can't seem to find the reference right now. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #22 from Konstantin Kolinko knst.koli...@gmail.com --- (In reply to Ben Mason from comment #21) Is this the key length issue? It is unclear in this thread whether that was ever fixed. Rob Sanders said he filed another bug, but it appears it was deleted. Key length issue is bug 56396, should be fixed in TCNative 1.1.31. (r1587896) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
RE: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
Now I'm confused. When Mladen posted his patch against bug 56396 I'd pulled that code and tested it and it worked. So I thought it would be in TCN 1.1.30. But when I look at TCNative 1.1.30 (included in Tomcat 6.0.41) I don't see that code, and without it my tests should have failed. So it looks like I not only messed up my testing against bug 56396 (pulled wrong code?), but also must have done something wrong when testing 6.0.41 with the included tcn1.1.30 last week. Let me see if I can figure out what I did wrong. -R From: bugzi...@apache.org [bugzi...@apache.org] Sent: Wednesday, July 02, 2014 10:26 AM To: dev@tomcat.apache.org Subject: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #22 from Konstantin Kolinko knst.koli...@gmail.com --- (In reply to Ben Mason from comment #21) Is this the key length issue? It is unclear in this thread whether that was ever fixed. Rob Sanders said he filed another bug, but it appears it was deleted. Key length issue is bug 56396, should be fixed in TCNative 1.1.31. (r1587896) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
RE: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
Just double checked - error appears to be on my side. I stood up a pristine CentOS 6.5 box with Tomcat 6.0.41/TCN1.1.30 in FIPS mode and it fails to start. Manually applying the bugfix as suggested in bug 56396 does work. My apologies for flagging this as working earlier in this thread. I think there was some debris from testing that actually made things work when I tried to verify this earlier. -R From: Robert Sanders [rsand...@trustedcs.com] Sent: Wednesday, July 02, 2014 10:42 AM To: Tomcat Developers List Subject: RE: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode Now I'm confused. When Mladen posted his patch against bug 56396 I'd pulled that code and tested it and it worked. So I thought it would be in TCN 1.1.30. But when I look at TCNative 1.1.30 (included in Tomcat 6.0.41) I don't see that code, and without it my tests should have failed. So it looks like I not only messed up my testing against bug 56396 (pulled wrong code?), but also must have done something wrong when testing 6.0.41 with the included tcn1.1.30 last week. Let me see if I can figure out what I did wrong. -R From: bugzi...@apache.org [bugzi...@apache.org] Sent: Wednesday, July 02, 2014 10:26 AM To: dev@tomcat.apache.org Subject: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #22 from Konstantin Kolinko knst.koli...@gmail.com --- (In reply to Ben Mason from comment #21) Is this the key length issue? It is unclear in this thread whether that was ever fixed. Rob Sanders said he filed another bug, but it appears it was deleted. Key length issue is bug 56396, should be fixed in TCNative 1.1.31. (r1587896) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #20 from Christopher Schultz ch...@christopherschultz.net --- I believe the SSL2 MD5 routines problem is different from this issue, which was to allow Tomcat to start up with OpenSSL already in FIPS mode (e.g. don't choke and die if we're already in FIPS mode). Next, Tomcat tries to initialize the SSL endpoint with a list of ciphers and I think it request too many ciphers (and violates FIPS requirements). I'm not sure why this fails when already in FIPS mode versus working when explicitly entering FIPS mode first. I thought this failure had been reported elewhere but I can't seem to find the reference right now. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 Simon Mijolovic smijolo...@nutanix.com changed: What|Removed |Added Status|RESOLVED|REOPENED Version|1.1.29 |1.1.30 Resolution|FIXED |--- --- Comment #19 from Simon Mijolovic smijolo...@nutanix.com --- Still running into this issue where the APR library won't load when in fips mode using the FIPS validated OpenSSL library. CentOS 6.5 with OpenSSL 1.0.1e-16..el6_5.x86_64, and /boot/grub/grub.conf has fips=1 (prelink disabled, dracut -f, reboot shows cat /proc/sys/crypto/fips_enabled = 1) Tomcat 7.0.54 running, and compiled the tcnative APR lib with: ./configure --with-apr=`which apr-1-config` --with-java-home=/usr/java/jdk1.8.0_05 --with-ssl=yes --prefix=/usr/share/apache-tomcat-7.0.54 Setenv.sh: #!/bin/bash umask 0026 LD_LIBRARY_PATH=/usr/share/apache-tomcat-7.0.54/lib:$LD_LIBRARY_PATH export LD_LIBRARY_PATH Server.xml: Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Connector.xml: Connector clientAuth=false port=9443 protocol=HTTP/1.1 SSLEnabled=true scheme=https secure=true SSLCertificateFile=/etc/private/rsacert.pem SSLCertificateKeyFile=/etc/private/rsakey.pem SSLCipherSuite=ECDH+AESGCM:ECDH+AES256:ECDH+AES128:RSA+AES:!aNULL:!MD5:!DSS SSLDisableCompression=true SSLHonorCipherOrder=true SSLVerifyClient=optional SSLProtocol=TLSv1 server=Prism Server connectionTimeout=6 keepAliveTimeout=6 maxKeepAliveRequests=100 maxThreads=150 maxPostSize=2097152 maxHeaderCount=50 maxHttpHeaderSize=8190 allowTrace=false / Starting services: service tomcat start Using CATALINA_BASE: /usr/share/apache-tomcat-7.0.54 Using CATALINA_HOME: /usr/share/apache-tomcat-7.0.54 Using CATALINA_TMPDIR: /usr/share/apache-tomcat-7.0.54/temp Using JRE_HOME:/usr/java/jdk1.8.0_05/jre Using CLASSPATH: /usr/share/apache-tomcat-7.0.54/bin/bootstrap.jar:/usr/share/apache-tomcat-7.0.54/bin/tomcat-juli.jar Tomcat started. logs/catalina.2014-06-12.log: Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version 1.3.9. Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true ]. Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent SEVERE: Failed to initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: This function has not been implemented on this platform at org.apache.tomcat.jni.SSL.initialize(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja va:43) at java.lang.reflect.Method.invoke(Method.java:483) at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListene r.java:270) at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListen er.java:124) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.j ava:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90 ) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99) at org.apache.catalina.startup.Catalina.load(Catalina.java:638) at org.apache.catalina.startup.Catalina.load(Catalina.java:663) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja va:43) at java.lang.reflect.Method.invoke(Method.java:483) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) Jun 12, 2014 1:30:20 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-9443] Jun 12, 2014 1:30:20 PM org.apache.coyote.AbstractProtocol init SEVERE: Failed to initialize end point associated with ProtocolHandler [http-apr-9443] java.lang.Exception: Unable to create SSLContext. Check that SSLEngine is enabled in the AprLifecycleListener, the AprLifecycleListener has initialised correctly and that a valid SSLProtocol has been specified at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:503) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434) at
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 Simon Mijolovic smijolo...@nutanix.com changed: What|Removed |Added CC||smijolo...@nutanix.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
RE: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
I tested TCN 1_1_30 with Tomcat 6 (which our app uses) and everything appears to work just fine. I haven't updated our install to try working with Tomcat 7. This is on a CentOS 6.5 (yum updated) box with fips mode enabled at boot, and a server.xml similar to yours. Just looking quickly at your log I'm concerned about the 'Failed to initialize the SSLEngine' message near the beginning. As I recall I use to see this if I explictly tried to initialize the SSL Engine twice - which openssl throws an exception on. -R From: bugzi...@apache.org [bugzi...@apache.org] Sent: Wednesday, June 25, 2014 12:56 PM To: dev@tomcat.apache.org Subject: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 Simon Mijolovic smijolo...@nutanix.com changed: What|Removed |Added Status|RESOLVED|REOPENED Version|1.1.29 |1.1.30 Resolution|FIXED |--- --- Comment #19 from Simon Mijolovic smijolo...@nutanix.com --- Still running into this issue where the APR library won't load when in fips mode using the FIPS validated OpenSSL library. CentOS 6.5 with OpenSSL 1.0.1e-16..el6_5.x86_64, and /boot/grub/grub.conf has fips=1 (prelink disabled, dracut -f, reboot shows cat /proc/sys/crypto/fips_enabled = 1) Tomcat 7.0.54 running, and compiled the tcnative APR lib with: ./configure --with-apr=`which apr-1-config` --with-java-home=/usr/java/jdk1.8.0_05 --with-ssl=yes --prefix=/usr/share/apache-tomcat-7.0.54 Setenv.sh: #!/bin/bash umask 0026 LD_LIBRARY_PATH=/usr/share/apache-tomcat-7.0.54/lib:$LD_LIBRARY_PATH export LD_LIBRARY_PATH Server.xml: Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Connector.xml: Connector clientAuth=false port=9443 protocol=HTTP/1.1 SSLEnabled=true scheme=https secure=true SSLCertificateFile=/etc/private/rsacert.pem SSLCertificateKeyFile=/etc/private/rsakey.pem SSLCipherSuite=ECDH+AESGCM:ECDH+AES256:ECDH+AES128:RSA+AES:!aNULL:!MD5:!DSS SSLDisableCompression=true SSLHonorCipherOrder=true SSLVerifyClient=optional SSLProtocol=TLSv1 server=Prism Server connectionTimeout=6 keepAliveTimeout=6 maxKeepAliveRequests=100 maxThreads=150 maxPostSize=2097152 maxHeaderCount=50 maxHttpHeaderSize=8190 allowTrace=false / Starting services: service tomcat start Using CATALINA_BASE: /usr/share/apache-tomcat-7.0.54 Using CATALINA_HOME: /usr/share/apache-tomcat-7.0.54 Using CATALINA_TMPDIR: /usr/share/apache-tomcat-7.0.54/temp Using JRE_HOME:/usr/java/jdk1.8.0_05/jre Using CLASSPATH: /usr/share/apache-tomcat-7.0.54/bin/bootstrap.jar:/usr/share/apache-tomcat-7.0.54/bin/tomcat-juli.jar Tomcat started. logs/catalina.2014-06-12.log: Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version 1.3.9. Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true ]. Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener lifecycleEvent SEVERE: Failed to initialize the SSLEngine. org.apache.tomcat.jni.Error: 70023: This function has not been implemented on this platform at org.apache.tomcat.jni.SSL.initialize(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja va:43) at java.lang.reflect.Method.invoke(Method.java:483) at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListene r.java:270) at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListen er.java:124) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.j ava:117) at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90 ) at org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99) at org.apache.catalina.startup.Catalina.load(Catalina.java:638) at org.apache.catalina.startup.Catalina.load(Catalina.java:663) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja va:43) at java.lang.reflect.Method.invoke(Method.java:483) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) at
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 Konstantin Kolinko knst.koli...@gmail.com changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #18 from Konstantin Kolinko knst.koli...@gmail.com --- Fixed in Tomcat 6 by r1593696 and will be in 6.0.40. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #17 from Konstantin Kolinko knst.koli...@gmail.com --- Follow-ups in Tomcat 8 in r1590300 r1590339 (8.0.6), r1590340 (7.0.54). Updated patch was proposed for Tomcat 6. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #16 from Christopher Schultz ch...@christopherschultz.net --- Fixed in Tomcat trunk in r1587378, r1587379, and r1587723. Will be included in Tomcat 8.0.6 and later. Fixed in Tomcat 7.0 branch in r1587378, r1587661, and r1587734. Will be included in Tomcat 7.0.54 and later. Proposed for Tomcat 6. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #15 from Rob Sanders rsand...@trustedcs.com --- As per request I've filed a new bug for the failure to init the RSA 512 bit temporary key (https://issues.apache.org/bugzilla/show_bug.cgi?id=56396). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #13 from Christopher Schultz ch...@christopherschultz.net --- (In reply to Ben Mason from comment #12) ...that will not fix problem #2, correct? I am seeing that on SLES 11 as well. Do you need someone to contribute a fix for #2, or is someone working on that? I'm out of my element, there. If you've got a proposal and are willing to work on a patch, please do so. The assertion that 512-bit RSA is not valid for FIPS mode certainly seems reasonable. AFAIK, there's nothing in FIPS that established an *upper* limit on key size, or that the implementation must actually use clearly inferior algorithms. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #14 from Rob Sanders rsand...@trustedcs.com --- I remember reading some of the SSL docs that certain key lengths may be invalid for regular use, they are valid for key agreement/establishment. Quoting from the somewhat confusing section 2.6.2 of the OpenSSL FIPS140 Userguide (v2.0) PDF: === Algorithms Available in FIPS Mode Only the algorithms listed in tables 4a and 4b of the Security Policy are allowed in FIPS mode. Note that Diffie-Hellman and RSA are allowed in FIPS mode for key agreement and key establishment even though they are “Non-Approved” for that purpose. RSA for sign and verify is “Approved” and hence also allowed, along with all the other Approved algorithms listed in that table === Rather than hardcode in TCN what approved keys are, is there a way to ask the underlying openssl implementation what *it* thinks are acceptable? I don't have an answer for that. What I did to make things work back in January was comment out the 512 bit RSA key generation in TCN before building (along with adding a check to see if FIPS mode was already set). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #10 from Christopher Schultz ch...@christopherschultz.net --- We need a tcnative release before Tomcat itself can be patched. If you grab the current tcnative 1.1.x branch, it will have what you need. If you then apply this patch to 7.0.52 (which is quite easy to re-compile yourself, actually) and deploy the two, you should be good to go. I'm about to update the Java patch a bit to fix a minor bug and to address some of the concerns raised by some other devs. You might want to apply the new patch instead. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 Christopher Schultz ch...@christopherschultz.net changed: What|Removed |Added Attachment #31226|0 |1 is obsolete|| --- Comment #11 from Christopher Schultz ch...@christopherschultz.net --- Created attachment 31406 -- https://issues.apache.org/bugzilla/attachment.cgi?id=31406action=edit Patch against Tomcat trunk Updated patch with improved documentation and a small bug fix for ensuring that FIPS mode was successfully entered. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #12 from Ben Mason ben.ma...@viasat.com --- (In reply to Christopher Schultz from comment #10) We need a tcnative release before Tomcat itself can be patched. If you grab the current tcnative 1.1.x branch, it will have what you need. If you then apply this patch to 7.0.52 (which is quite easy to re-compile yourself, actually) and deploy the two, you should be good to go. I'm about to update the Java patch a bit to fix a minor bug and to address some of the concerns raised by some other devs. You might want to apply the new patch instead. Thanks, Chris. I can surely do that. However, that will not fix problem #2, correct? I am seeing that on SLES 11 as well. Do you need someone to contribute a fix for #2, or is someone working on that? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #9 from Ben Mason ben.ma...@viasat.com --- (In reply to Christopher Schultz from comment #8) Created attachment 31226 [details] Proposed patch against Tomcat-trunk Feel free to adapt this patch for Tomcat 6. Chris- I am having the same issue as I need to boot my SLES 11 box in FIPS mode. I am using Tomcat 7.0.52. Can you tell in which, if any, Tomcat 7 release this patch will be included? Thanks. -Ben -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #1 from Rob Sanders rsand...@trustedcs.com --- Marked as major due to a customer requirement to have their RHEL6 boxes running in FIPS mode at boot. They are temporarily relaxing this while we have worked on determining the problem. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 Christopher Schultz ch...@christopherschultz.net changed: What|Removed |Added Severity|major |normal --- Comment #2 from Christopher Schultz ch...@christopherschultz.net --- I'm putting this back to normal. While your customer may consider this high-priority, and while one of the Tomcat team may fix this quickly, major would probably be considered a bug that would require an immediate fix-and-release. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #3 from Christopher Schultz ch...@christopherschultz.net --- This bug will likely require (at least) two separate patches: one for avoiding double-entry into FIPS mode, one for changing the key sizes used, and possibly one for creating a native-wrapper around the FIPS_mode function call so Java can inspect the current status and take appropriate action. I think the best situation would be to allow the user to specify more than simply on versus off for the FIPSmode configuration attribute: it would be nice to use something like on to enable FIPS mode by calling FIPS_mode_set if necessary, require to require that FIPS mode already be enabled (or throw an exception and refuse to start the connector), or maybe a third option like enter which would attempt to enter FIPS mode and fail if FIPS mode were already enabled (this is the current behavior). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #5 from Christopher Schultz ch...@christopherschultz.net --- (In reply to Rob Sanders from comment #4) Proposed fix - in TCN src/ssl.c fipsModeSet() routine, call FIPS_mode() before calling FIPS_mode_set() to see if we're already in fips mode. If so, just return 1, otherwise attempt to set to FIPS mode. See my comment above for the behavior I'd like to see, which is incompatible with this proposal. There is no way that I know of to get an intelligent message back through the JNI without other changes, so if a status messages of Already in FIPS mode would be desirable the FIPS_mode() routine will need to be exposed through JNI and checked from the AprLifecycleListener code before calling fipsModeSet. This was my plan. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #4 from Rob Sanders rsand...@trustedcs.com --- Looking at the openssl source for my box a double call to FIPS_mode_set to *enable* FIPS triggers an error - including setting the internal fips_selftest_fail flag to 1 indicating a failure. Understood on the severity change - somewhat surprised that I can't find any real reports of this failure in general web searches or on RH's pages. Some additional comments... Looking for a boot entry does appear to be a RHEL 'addition', but the source also indicates you can set an environment variable to accomplish the same thing (OPENSSL_FORCE_FIPS_MODE). This is in the source code of crypto/o_init.c (after applying RH patches). The /proc/sys/crypto/fips_enabled trigger file is checked in this file also. Looking deeper at the AprLifecycleListener initializeSSL code it does call the TCN SSL.initialize code, which drops down into some of the openssl calls that look like bounce through the various init routines including the code in o_init.c that does the FIPS startup. So *if* the underlying platform has the fs/env check a call to FIPS_Mode() prior to calling FIPS_mode_set() in TCN fipsModeSet() should detect this. Proposed fix - in TCN src/ssl.c fipsModeSet() routine, call FIPS_mode() before calling FIPS_mode_set() to see if we're already in fips mode. If so, just return 1, otherwise attempt to set to FIPS mode. There is no way that I know of to get an intelligent message back through the JNI without other changes, so if a status messages of Already in FIPS mode would be desirable the FIPS_mode() routine will need to be exposed through JNI and checked from the AprLifecycleListener code before calling fipsModeSet. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #6 from Christopher Schultz ch...@christopherschultz.net --- Added fipsModeGet JNI implementation in both tcnative trunk and tcnative 1.1.x branch. Will be in tcnative 1.1.30. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #7 from Rob Sanders rsand...@trustedcs.com --- Concur on comment 3 - had dueling edits going on. For our customer at the moment I'm implementing the TCN only fix. Once the next TC6 and TCN releases are out we'll move to them. Thanks Chris. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027 --- Comment #8 from Christopher Schultz ch...@christopherschultz.net --- Created attachment 31226 -- https://issues.apache.org/bugzilla/attachment.cgi?id=31226action=edit Proposed patch against Tomcat-trunk Feel free to adapt this patch for Tomcat 6. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org