[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2017-02-07 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=56027

--- Comment #24 from Christopher Schultz  ---
(In reply to Ben Mason from comment #21)
> I am still getting this error as well. Is this the key length issue? It is
> unclear in this thread whether that was ever fixed. Rob Sanders said he
> filed another bug, but it appears it was deleted.

Just a note for archival purposes: the bug referenced above was certainly NOT
deleted. It was CLOSED FIXED.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2017-02-07 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=56027

Mark Thomas  changed:

   What|Removed |Added

 Status|REOPENED|RESOLVED
 Resolution|--- |FIXED

--- Comment #23 from Mark Thomas  ---
This should no longer be an issue in 1.2.x.

The fips mode setting has been fixed.

SSL_TMP_KEYS_INIT does not exist in 1.2.x.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-07-02 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

--- Comment #21 from Ben Mason ben.ma...@viasat.com ---
I am still getting this error as well. Is this the key length issue? It is
unclear in this thread whether that was ever fixed. Rob Sanders said he filed
another bug, but it appears it was deleted.


(In reply to Christopher Schultz from comment #20)
 I believe the SSL2 MD5 routines problem is different from this issue,
 which was to allow Tomcat to start up with OpenSSL already in FIPS mode
 (e.g. don't choke and die if we're already in FIPS mode).
 
 Next, Tomcat tries to initialize the SSL endpoint with a list of ciphers and
 I think it request too many ciphers (and violates FIPS requirements). I'm
 not sure why this fails when already in FIPS mode versus working when
 explicitly entering FIPS mode first. I thought this failure had been
 reported elewhere but I can't seem to find the reference right now.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-07-02 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

--- Comment #22 from Konstantin Kolinko knst.koli...@gmail.com ---
(In reply to Ben Mason from comment #21)
 Is this the key length issue? It is
 unclear in this thread whether that was ever fixed. Rob Sanders said he
 filed another bug, but it appears it was deleted.

Key length issue is bug 56396, should be fixed in TCNative 1.1.31. (r1587896)

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

RE: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-07-02 Thread Robert Sanders 
Now I'm confused.  When Mladen posted his patch against bug 56396 I'd pulled 
that code and tested it and it worked.  So I thought it would be in TCN 1.1.30. 
 But when I look at TCNative 1.1.30 (included in Tomcat 6.0.41) I don't see 
that code, and without it my tests should have failed.  
So it looks like I not only messed up my testing against bug 56396 (pulled 
wrong code?), but also must have done something wrong when testing 6.0.41 with 
the included tcn1.1.30 last week.  
Let me see if I can figure out what I did wrong.

-R

From: bugzi...@apache.org [bugzi...@apache.org]
Sent: Wednesday, July 02, 2014 10:26 AM
To: dev@tomcat.apache.org
Subject: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips 
mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

--- Comment #22 from Konstantin Kolinko knst.koli...@gmail.com ---
(In reply to Ben Mason from comment #21)
 Is this the key length issue? It is
 unclear in this thread whether that was ever fixed. Rob Sanders said he
 filed another bug, but it appears it was deleted.

Key length issue is bug 56396, should be fixed in TCNative 1.1.31. (r1587896)

--
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

RE: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-07-02 Thread Robert Sanders 
Just double checked - error appears to be on my side.  I stood up a pristine 
CentOS 6.5 box with Tomcat 6.0.41/TCN1.1.30 in FIPS mode and it fails to start. 
 Manually applying the bugfix as suggested in bug 56396 does work.  My 
apologies for flagging this as working earlier in this thread.  
I think there was some debris from testing that actually made things work when 
I tried to verify this earlier.

-R


From: Robert Sanders [rsand...@trustedcs.com]
Sent: Wednesday, July 02, 2014 10:42 AM
To: Tomcat Developers List
Subject: RE: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in 
fips mode

Now I'm confused.  When Mladen posted his patch against bug 56396 I'd pulled 
that code and tested it and it worked.  So I thought it would be in TCN 1.1.30. 
 But when I look at TCNative 1.1.30 (included in Tomcat 6.0.41) I don't see 
that code, and without it my tests should have failed.
So it looks like I not only messed up my testing against bug 56396 (pulled 
wrong code?), but also must have done something wrong when testing 6.0.41 with 
the included tcn1.1.30 last week.
Let me see if I can figure out what I did wrong.

-R

From: bugzi...@apache.org [bugzi...@apache.org]
Sent: Wednesday, July 02, 2014 10:26 AM
To: dev@tomcat.apache.org
Subject: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips 
mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

--- Comment #22 from Konstantin Kolinko knst.koli...@gmail.com ---
(In reply to Ben Mason from comment #21)
 Is this the key length issue? It is
 unclear in this thread whether that was ever fixed. Rob Sanders said he
 filed another bug, but it appears it was deleted.

Key length issue is bug 56396, should be fixed in TCNative 1.1.31. (r1587896)

--
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-06-27 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

--- Comment #20 from Christopher Schultz ch...@christopherschultz.net ---
I believe the SSL2 MD5 routines problem is different from this issue, which
was to allow Tomcat to start up with OpenSSL already in FIPS mode (e.g. don't
choke and die if we're already in FIPS mode).

Next, Tomcat tries to initialize the SSL endpoint with a list of ciphers and I
think it request too many ciphers (and violates FIPS requirements). I'm not
sure why this fails when already in FIPS mode versus working when explicitly
entering FIPS mode first. I thought this failure had been reported elewhere but
I can't seem to find the reference right now.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-06-25 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

Simon Mijolovic smijolo...@nutanix.com changed:

   What|Removed |Added

 Status|RESOLVED|REOPENED
Version|1.1.29  |1.1.30
 Resolution|FIXED   |---

--- Comment #19 from Simon Mijolovic smijolo...@nutanix.com ---
Still running into this issue where the APR library won't load when in fips
mode using the FIPS validated OpenSSL library.

CentOS 6.5 with OpenSSL 1.0.1e-16..el6_5.x86_64, and /boot/grub/grub.conf has
fips=1 (prelink disabled, dracut -f, reboot shows cat
/proc/sys/crypto/fips_enabled = 1)

Tomcat 7.0.54 running, and compiled the tcnative APR lib with:
./configure --with-apr=`which apr-1-config`
--with-java-home=/usr/java/jdk1.8.0_05 --with-ssl=yes
--prefix=/usr/share/apache-tomcat-7.0.54

Setenv.sh:
#!/bin/bash
umask 0026
LD_LIBRARY_PATH=/usr/share/apache-tomcat-7.0.54/lib:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH

Server.xml:
 Listener className=org.apache.catalina.core.AprLifecycleListener
SSLEngine=on /

Connector.xml:
Connector
  clientAuth=false
  port=9443
  protocol=HTTP/1.1
  SSLEnabled=true
  scheme=https
  secure=true
  SSLCertificateFile=/etc/private/rsacert.pem
  SSLCertificateKeyFile=/etc/private/rsakey.pem
  SSLCipherSuite=ECDH+AESGCM:ECDH+AES256:ECDH+AES128:RSA+AES:!aNULL:!MD5:!DSS
  SSLDisableCompression=true
  SSLHonorCipherOrder=true
  SSLVerifyClient=optional
  SSLProtocol=TLSv1
  server=Prism Server
  connectionTimeout=6
  keepAliveTimeout=6
  maxKeepAliveRequests=100
  maxThreads=150
  maxPostSize=2097152
  maxHeaderCount=50
  maxHttpHeaderSize=8190
  allowTrace=false
/

Starting services:
service tomcat start
Using CATALINA_BASE:   /usr/share/apache-tomcat-7.0.54
Using CATALINA_HOME:   /usr/share/apache-tomcat-7.0.54
Using CATALINA_TMPDIR: /usr/share/apache-tomcat-7.0.54/temp
Using JRE_HOME:/usr/java/jdk1.8.0_05/jre
Using CLASSPATH:  
/usr/share/apache-tomcat-7.0.54/bin/bootstrap.jar:/usr/share/apache-tomcat-7.0.54/bin/tomcat-juli.jar
Tomcat started.

logs/catalina.2014-06-12.log:

Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version
1.3.9.
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
random [true
].
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
SEVERE: Failed to initialize the SSLEngine.
org.apache.tomcat.jni.Error: 70023: This function has not been implemented on
this platform
at org.apache.tomcat.jni.SSL.initialize(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at
org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListene
r.java:270)
at
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListen
er.java:124)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.j
ava:117)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90
)
at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)

Jun 12, 2014 1:30:20 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler [http-apr-9443]
Jun 12, 2014 1:30:20 PM org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler
[http-apr-9443]
java.lang.Exception: Unable to create SSLContext. Check that SSLEngine is
enabled in the AprLifecycleListener, the AprLifecycleListener has initialised
correctly and that a valid SSLProtocol has been specified
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:503)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-06-25 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

Simon Mijolovic smijolo...@nutanix.com changed:

   What|Removed |Added

 CC||smijolo...@nutanix.com

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

RE: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-06-25 Thread Robert Sanders 
I tested TCN 1_1_30 with Tomcat 6 (which our app uses) and everything appears 
to work just fine.  I haven't updated our install to try working with Tomcat 7. 
 This is on a CentOS 6.5 (yum updated)  box with fips mode enabled at boot, and 
a server.xml similar to yours.  
Just looking quickly at your log I'm concerned about the 'Failed to initialize 
the SSLEngine' message near the beginning.  As I recall I use to see this if I 
explictly tried to initialize the SSL Engine twice - which openssl throws an 
exception on.

-R



From: bugzi...@apache.org [bugzi...@apache.org]
Sent: Wednesday, June 25, 2014 12:56 PM
To: dev@tomcat.apache.org
Subject: [Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips 
mode

https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

Simon Mijolovic smijolo...@nutanix.com changed:

   What|Removed |Added

 Status|RESOLVED|REOPENED
Version|1.1.29  |1.1.30
 Resolution|FIXED   |---

--- Comment #19 from Simon Mijolovic smijolo...@nutanix.com ---
Still running into this issue where the APR library won't load when in fips
mode using the FIPS validated OpenSSL library.

CentOS 6.5 with OpenSSL 1.0.1e-16..el6_5.x86_64, and /boot/grub/grub.conf has
fips=1 (prelink disabled, dracut -f, reboot shows cat
/proc/sys/crypto/fips_enabled = 1)

Tomcat 7.0.54 running, and compiled the tcnative APR lib with:
./configure --with-apr=`which apr-1-config`
--with-java-home=/usr/java/jdk1.8.0_05 --with-ssl=yes
--prefix=/usr/share/apache-tomcat-7.0.54

Setenv.sh:
#!/bin/bash
umask 0026
LD_LIBRARY_PATH=/usr/share/apache-tomcat-7.0.54/lib:$LD_LIBRARY_PATH
export LD_LIBRARY_PATH

Server.xml:
 Listener className=org.apache.catalina.core.AprLifecycleListener
SSLEngine=on /

Connector.xml:
Connector
  clientAuth=false
  port=9443
  protocol=HTTP/1.1
  SSLEnabled=true
  scheme=https
  secure=true
  SSLCertificateFile=/etc/private/rsacert.pem
  SSLCertificateKeyFile=/etc/private/rsakey.pem
  SSLCipherSuite=ECDH+AESGCM:ECDH+AES256:ECDH+AES128:RSA+AES:!aNULL:!MD5:!DSS
  SSLDisableCompression=true
  SSLHonorCipherOrder=true
  SSLVerifyClient=optional
  SSLProtocol=TLSv1
  server=Prism Server
  connectionTimeout=6
  keepAliveTimeout=6
  maxKeepAliveRequests=100
  maxThreads=150
  maxPostSize=2097152
  maxHeaderCount=50
  maxHttpHeaderSize=8190
  allowTrace=false
/

Starting services:
service tomcat start
Using CATALINA_BASE:   /usr/share/apache-tomcat-7.0.54
Using CATALINA_HOME:   /usr/share/apache-tomcat-7.0.54
Using CATALINA_TMPDIR: /usr/share/apache-tomcat-7.0.54/temp
Using JRE_HOME:/usr/java/jdk1.8.0_05/jre
Using CLASSPATH:
/usr/share/apache-tomcat-7.0.54/bin/bootstrap.jar:/usr/share/apache-tomcat-7.0.54/bin/tomcat-juli.jar
Tomcat started.

logs/catalina.2014-06-12.log:

Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener init
INFO: Loaded APR based Apache Tomcat Native library 1.1.30 using APR version
1.3.9.
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener init
INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
random [true
].
Jun 12, 2014 1:30:20 PM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
SEVERE: Failed to initialize the SSLEngine.
org.apache.tomcat.jni.Error: 70023: This function has not been implemented on
this platform
at org.apache.tomcat.jni.SSL.initialize(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at
org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListene
r.java:270)
at
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListen
er.java:124)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.j
ava:117)
at
org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90
)
at
org.apache.catalina.util.LifecycleBase.setStateInternal(LifecycleBase.java:402)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:99)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.ja
va:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-05-15 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

Konstantin Kolinko knst.koli...@gmail.com changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED

--- Comment #18 from Konstantin Kolinko knst.koli...@gmail.com ---
Fixed in Tomcat 6 by r1593696 and will be in 6.0.40.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-04-26 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

--- Comment #17 from Konstantin Kolinko knst.koli...@gmail.com ---
Follow-ups in Tomcat 8 in r1590300 r1590339 (8.0.6), r1590340 (7.0.54).
Updated patch was proposed for Tomcat 6.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-04-15 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

--- Comment #16 from Christopher Schultz ch...@christopherschultz.net ---
Fixed in Tomcat trunk in r1587378, r1587379, and r1587723. Will be included in
Tomcat 8.0.6 and later.
Fixed in Tomcat 7.0 branch in r1587378, r1587661, and r1587734. Will be
included in Tomcat 7.0.54 and later.
Proposed for Tomcat 6.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-04-11 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

--- Comment #15 from Rob Sanders rsand...@trustedcs.com ---
As per request I've filed a new bug for the failure to init the RSA 512 bit
temporary key (https://issues.apache.org/bugzilla/show_bug.cgi?id=56396).

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-03-20 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

--- Comment #13 from Christopher Schultz ch...@christopherschultz.net ---
(In reply to Ben Mason from comment #12)
 ...that will not fix problem #2,
 correct? I am seeing that on SLES 11 as well. Do you need someone to
 contribute a fix for #2, or is someone working on that?

I'm out of my element, there. If you've got a proposal and are willing to work
on a patch, please do so. The assertion that 512-bit RSA is not valid for FIPS
mode certainly seems reasonable. AFAIK, there's nothing in FIPS that
established an *upper* limit on key size, or that the implementation must
actually use clearly inferior algorithms.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-03-20 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

--- Comment #14 from Rob Sanders rsand...@trustedcs.com ---
I remember reading some of the SSL docs that certain key lengths may be invalid
for regular use, they are valid for key agreement/establishment.  Quoting from
the somewhat confusing section 2.6.2 of the OpenSSL FIPS140 Userguide (v2.0)
PDF:

===
Algorithms Available in FIPS Mode
Only the algorithms listed in tables 4a and 4b of the Security Policy are
allowed in FIPS mode.
Note that Diffie-Hellman and RSA are allowed in FIPS mode for key agreement and
key establishment even though they are “Non-Approved” for that purpose. RSA for
sign and verify is “Approved” and hence also allowed, along with all the other
Approved algorithms listed in that table
===

Rather than hardcode in TCN what approved keys are, is there a way to ask the
underlying openssl implementation what *it* thinks are acceptable?  I don't
have an answer for that.  What I did to make things work back in January was
comment out the 512 bit RSA key generation in TCN before building (along with
adding a check to see if FIPS mode was already set).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-03-19 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

--- Comment #10 from Christopher Schultz ch...@christopherschultz.net ---
We need a tcnative release before Tomcat itself can be patched.

If you grab the current tcnative 1.1.x branch, it will have what you need. If
you then apply this patch to 7.0.52 (which is quite easy to re-compile
yourself, actually) and deploy the two, you should be good to go.

I'm about to update the Java patch a bit to fix a minor bug and to address some
of the concerns raised by some other devs. You might want to apply the new
patch instead.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-03-19 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

Christopher Schultz ch...@christopherschultz.net changed:

   What|Removed |Added

  Attachment #31226|0   |1
is obsolete||

--- Comment #11 from Christopher Schultz ch...@christopherschultz.net ---
Created attachment 31406
  -- https://issues.apache.org/bugzilla/attachment.cgi?id=31406action=edit
Patch against Tomcat trunk

Updated patch with improved documentation and a small bug fix for ensuring that
FIPS mode was successfully entered.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-03-19 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

--- Comment #12 from Ben Mason ben.ma...@viasat.com ---
(In reply to Christopher Schultz from comment #10)
 We need a tcnative release before Tomcat itself can be patched.
 
 If you grab the current tcnative 1.1.x branch, it will have what you need.
 If you then apply this patch to 7.0.52 (which is quite easy to re-compile
 yourself, actually) and deploy the two, you should be good to go.
 
 I'm about to update the Java patch a bit to fix a minor bug and to address
 some of the concerns raised by some other devs. You might want to apply the
 new patch instead.

Thanks, Chris. I can surely do that. However, that will not fix problem #2,
correct? I am seeing that on SLES 11 as well. Do you need someone to contribute
a fix for #2, or is someone working on that?

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-03-10 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

--- Comment #9 from Ben Mason ben.ma...@viasat.com ---
(In reply to Christopher Schultz from comment #8)
 Created attachment 31226 [details]
 Proposed patch against Tomcat-trunk
 
 Feel free to adapt this patch for Tomcat 6.

Chris-

I am having the same issue as I need to boot my SLES 11 box in FIPS mode. I am
using Tomcat 7.0.52. Can you tell in which, if any, Tomcat 7 release this patch
will be included?

Thanks.
-Ben

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-01-17 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

--- Comment #1 from Rob Sanders rsand...@trustedcs.com ---
Marked as major due to a customer requirement to have their RHEL6 boxes running
in FIPS mode at boot.  They are temporarily relaxing this while we have worked
on determining the problem.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-01-17 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

Christopher Schultz ch...@christopherschultz.net changed:

   What|Removed |Added

   Severity|major   |normal

--- Comment #2 from Christopher Schultz ch...@christopherschultz.net ---
I'm putting this back to normal. While your customer may consider this
high-priority, and while one of the Tomcat team may fix this quickly, major
would probably be considered a bug that would require an immediate
fix-and-release.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-01-17 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

--- Comment #3 from Christopher Schultz ch...@christopherschultz.net ---
This bug will likely require (at least) two separate patches: one for avoiding
double-entry into FIPS mode, one for changing the key sizes used, and possibly
one for creating a native-wrapper around the FIPS_mode function call so Java
can inspect the current status and take appropriate action.

I think the best situation would be to allow the user to specify more than
simply on versus off for the FIPSmode configuration attribute: it would be
nice to use something like on to enable FIPS mode by calling FIPS_mode_set if
necessary, require to require that FIPS mode already be enabled (or throw an
exception and refuse to start the connector), or maybe a third option like
enter which would attempt to enter FIPS mode and fail if FIPS mode were
already enabled (this is the current behavior).

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-01-17 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

--- Comment #5 from Christopher Schultz ch...@christopherschultz.net ---
(In reply to Rob Sanders from comment #4)
 Proposed fix - in TCN src/ssl.c fipsModeSet() routine, call FIPS_mode()
 before calling FIPS_mode_set() to see if we're already in fips mode.  If so,
 just return 1, otherwise attempt to set to FIPS mode.

See my comment above for the behavior I'd like to see, which is incompatible
with this proposal.

 There is no way that
 I know of to get an intelligent message back through the JNI without other
 changes, so if a status messages of Already in FIPS mode would be
 desirable the FIPS_mode() routine will need to be exposed through JNI and
 checked from the AprLifecycleListener code before calling fipsModeSet.

This was my plan.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-01-17 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

--- Comment #4 from Rob Sanders rsand...@trustedcs.com ---
Looking at the openssl source for my box a double call to FIPS_mode_set to
*enable* FIPS triggers an error - including setting the internal
fips_selftest_fail flag to 1 indicating a failure.

Understood on the severity change - somewhat surprised that I can't find any
real reports of this failure in general web searches or on RH's pages.

Some additional comments...

Looking for a boot entry does appear to be a RHEL 'addition', but the source
also indicates you can set an environment variable to accomplish the same thing
(OPENSSL_FORCE_FIPS_MODE). This is in the source code of crypto/o_init.c (after
applying RH patches).  The /proc/sys/crypto/fips_enabled trigger file is
checked in this file also.

Looking deeper at the AprLifecycleListener initializeSSL code it does call the
TCN SSL.initialize code, which drops down into some of the openssl calls that
look like bounce through the various init routines including the code in
o_init.c that does the FIPS startup.  So *if* the underlying platform has the
fs/env check a call to FIPS_Mode() prior to calling FIPS_mode_set() in  TCN
fipsModeSet() should detect this.

Proposed fix - in TCN src/ssl.c fipsModeSet() routine, call FIPS_mode() before
calling FIPS_mode_set() to see if we're already in fips mode.  If so, just
return 1, otherwise attempt to set to FIPS mode.  There is no way that I know
of to get an intelligent message back through the JNI without other changes, so
if a status messages of Already in FIPS mode would be desirable the
FIPS_mode() routine will need to be exposed through JNI and checked from the
AprLifecycleListener code before calling fipsModeSet.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-01-17 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

--- Comment #6 from Christopher Schultz ch...@christopherschultz.net ---
Added fipsModeGet JNI implementation in both tcnative trunk and tcnative 1.1.x
branch. Will be in tcnative 1.1.30.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-01-17 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

--- Comment #7 from Rob Sanders rsand...@trustedcs.com ---
Concur on comment 3 - had dueling edits going on.
For our customer at the moment I'm implementing the TCN only fix.  Once the
next TC6 and TCN releases are out we'll move to them.

Thanks Chris.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56027] Unable to use TCN on RHEL6 boxes if box is booted in fips mode

2014-01-17 Thread bugzilla 
https://issues.apache.org/bugzilla/show_bug.cgi?id=56027

--- Comment #8 from Christopher Schultz ch...@christopherschultz.net ---
Created attachment 31226
  -- https://issues.apache.org/bugzilla/attachment.cgi?id=31226action=edit
Proposed patch against Tomcat-trunk

Feel free to adapt this patch for Tomcat 6.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org