On Fri, Aug 6, 2010 at 10:57 AM, <ja...@nixsecurity.org> wrote: > > Hello, > > I've recently upgraded to 2.2.16 and am encountering some issues. I've > noticed the addition of SSLFIPS, however, I did not see any mention of this > in the release notes. I did, however, see mention of it in the release notes > for 2.3.6, interesting. I've compiled against OpenSSL 0.9.8o-fips (FIPS 1.2 > module from openssl.org). > > I have a web application that uses OpenLDAP and SSH to add/check resources, > such as users. Going through HTTPS and testing the LDAP server configuration > (manually entered settings) to verify that I can communicate with the server > properly, the Apache child process segfaults. The OpenLDAP version is 2.4.23. > > [Fri Aug 06 09:17:54 2010] [notice] child pid 15419 exit signal Segmentation > fault (11) > > Has anyone encountered this issue before? > > My other issue is when adding an user over HTTPS and having PHP exec() the > system's ssh command to connect to the remote machine and perform a few minor > operations. The error message I am getting is: > > digest.c(151): OpenSSL internal error, assertion failed: Digest update > previous FIPS forbidden algorithm error ignored > [Fri Aug 06 09:32:27 2010] [notice] child pid 29661 exit signal Aborted (6) > > After researching that error message a bit, it appears to be caused by an MD5 > checksum and MD5 is one of the forbidden algorithms in FIPS. > > The above mentioned functionality worked flawlessly in 2.2.15 and below.
Did you use the same OpenSSL build with 2.2.15 and below? My suggestion: Find out what symptoms are specific to the use of FIPS-enabled OpenSSL Get backtraces for any crashes (SIGSEGV, SIGABRT) you're seeing Open bugs with the appropriate component(s) -- httpd, PHP, apr, OpenLDAP, etc. -- depending on what code crashes or is implicated in misusing some other component. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
