RE: [users@httpd] Help Needed

Katta, Srinivasa CTR Mon, 10 Dec 2012 08:07:14 -0800

Igor,

Thanks for the information.
I given some information to  your comments in the below;
Please let me know,If You have any questions or concerns.
Thanks,
Srinivas




-----------------------------------------------------------------------------------------------------------
As far I can see your apache has been compiled with wrong version of openssl:
 "--with-ssl=/usr/local/ssl"

but your openssl fips is installed under
/usr/local/ssl/bin/openssl

so no wonder fips is not working


Here is ldd information for httpd;


root@hqd-unixtst-s2 #> ldd -d /usr/local/apache/bin/httpd
        libm.so.2 =>     /usr/lib/libm.so.2
        libaprutil-1.so.0 =>     /usr/local/apache/lib/libaprutil-1.so.0
        libexpat.so.1 =>         /usr/local/lib/libexpat.so.1
        libiconv.so.2 =>         /usr/local/lib/libiconv.so.2
        libapr-1.so.0 =>         /usr/local/apache/lib/libapr-1.so.0
        libuuid.so.1 =>  /usr/lib/libuuid.so.1
        libsendfile.so.1 =>      /usr/lib/libsendfile.so.1
        librt.so.1 =>    /usr/lib/librt.so.1
        libsocket.so.1 =>        /usr/lib/libsocket.so.1
        libnsl.so.1 =>   /usr/lib/libnsl.so.1
        libpthread.so.1 =>       /usr/lib/libpthread.so.1
        libc.so.1 =>     /usr/lib/libc.so.1
        libgcc_s.so.1 =>         /usr/local/lib/libgcc_s.so.1
        libaio.so.1 =>   /usr/lib/libaio.so.1
        libmd.so.1 =>    /usr/lib/libmd.so.1
        libmp.so.2 =>    /usr/lib/libmp.so.2
        libscf.so.1 =>   /usr/lib/libscf.so.1
        libdoor.so.1 =>  /usr/lib/libdoor.so.1
        libuutil.so.1 =>         /usr/lib/libuutil.so.1
        libgen.so.1 =>   /usr/lib/libgen.so.1
root@hqd-unixtst-s2 #> 
-----------------------------------------------------------------------------

Here is the openssl folder information on the server.
root@hqd-unixtst-s2 #> pwd
/usr/local/ssl
root@hqd-unixtst-s2 #> ls
bin          certs        fips-2.0     include      lib          man          
misc         openssl.cnf  private
root@hqd-unixtst-s2 #>
Seems,/usr/local/ssl/bin has openssl cmd and /usr/local/ssl has all the libs 
and other above folders.
Openssl-fips folder is located under /usr/local/ssl/fips-2.0  .
Here is the information in the /usr/local/apache/logs/error_log file,If I 
removed the SSLFips On from the config file;

root@hqd-unixtst-s2 #> cat error_log
[Fri Dec 07 15:01:41 2012] [notice] SSL FIPS mode disabled
[Fri Dec 07 15:01:41 2012] [warn] Init: Session Cache is not configured [hint: 
SSLSessionCache]
[Fri Dec 07 15:01:43 2012] [notice] Digest: generating secret for digest 
authentication ...
[Fri Dec 07 15:01:43 2012] [notice] Digest: done
[Fri Dec 07 15:01:43 2012] [notice] SSL FIPS mode disabled
[Fri Dec 07 15:01:43 2012] [notice] Apache/2.2.23 (Unix) mod_ssl/2.2.23 
OpenSSL/1.0.1c-fips configured -- resuming normal operations
[Fri Dec 07 15:04:26 2012] [error] [client 192.168.63.90] File does not exist: 
/usr/local/apache/htdocs/favicon.ico
[Fri Dec 07 15:28:42 2012] [notice] caught SIGTERM, shutting down
[Fri Dec 07 15:28:50 2012] [notice] SSL FIPS mode disabled
[Fri Dec 07 15:28:50 2012] [warn] Init: Session Cache is not configured [hint: 
SSLSessionCache]
[Fri Dec 07 15:28:52 2012] [notice] Digest: generating secret for digest 
authentication ...
[Fri Dec 07 15:28:52 2012] [notice] Digest: done
[Fri Dec 07 15:28:52 2012] [notice] SSL FIPS mode disabled
[Fri Dec 07 15:28:52 2012] [notice] Apache/2.2.23 (Unix) mod_ssl/2.2.23 
OpenSSL/1.0.1c-fips configured -- resuming normal operations
[Fri Dec 07 15:32:51 2012] [notice] caught SIGTERM, shutting down
[Fri Dec 07 15:32:53 2012] [emerg] FIPS mode failed
[Fri Dec 07 15:32:53 2012] [emerg] SSL Library Error: 755413103 
error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not 
match
[Fri Dec 07 15:57:52 2012] [emerg] FIPS mode failed
[Fri Dec 07 15:57:52 2012] [emerg] SSL Library Error: 755413103 
error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not 
match
[Fri Dec 07 16:45:14 2012] [emerg] FIPS mode failed
[Fri Dec 07 16:45:14 2012] [emerg] SSL Library Error: 755413103 
error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not 
match
[Fri Dec 07 17:32:19 2012] [emerg] FIPS mode failed
[Fri Dec 07 17:32:19 2012] [emerg] SSL Library Error: 755413103 
error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not 
match
root@hqd-unixtst-s2 #>
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

From: Igor Cicimov [mailto:[email protected]]
Sent: Friday, December 07, 2012 7:11 PM
To: users
Subject: Re: [users@httpd] Help Needed



On Sat, Dec 8, 2012 at 5:52 AM, Katta, Srinivasa CTR 
<[email protected]<mailto:[email protected]>> wrote:
Hi,

Good Morning.

I was seeing following  error message in the apache log file 
/usr/local/apache/logs/error_log,When I try to start the httpd daemon.

[Fri Dec 07 16:45:14 2012] [emerg] FIPS mode failed
[Fri Dec 07 16:45:14 2012] [emerg] SSL Library Error: 755413103 
error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not 
match

Could you please advise me,How I can start apache server and also me advise 
me,If I done any mistakes.

Please find the openssl,openssh and httpd information below.

Thanks,

Srinivas




Here is the server information;

root@hqd-unixtst-s2 #> uname -a
SunOS hqd-unixtst-s2 5.10 Generic_147441-24 i86pc i386 i86pc
root@hqd-unixtst-s2 #>

Here is the openssl information;

root@hqd-unixtst-s2 #> /usr/local/ssl/bin/openssl
OpenSSL> version
OpenSSL 1.0.1c-fips 10 May 2012
OpenSSL>

Here is the openssh information;

root@hqd-unixtst-s2 #> sshd -v
sshd: illegal option -- v
OpenSSH_6.1p1, OpenSSL 1.0.1c-fips 10 May 2012
usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]
            [-f config_file] [-g login_grace_time] [-h host_key_file]
            [-k key_gen_time] [-o option] [-p port] [-u len]
root@hqd-unixtst-s2 #>

Here is the apache httpd version information;

root@hqd-unixtst-s2 #> ./httpd -v
Server version: Apache/2.2.23 (Unix)
Server built:   Dec  7 2012 15:38:35
root@hqd-unixtst-s2 #>

Here is the httpd build configure options;


#! /bin/sh
#
# Created by configure

"./configure" \
"--prefix=/usr/local/apache" \
"--enable-mime-magic" \
"--enable-info" \
"--enable-imagemap" \
"--enable-speling" \
"--enable-rewrite" \
"--enable-authz-host" \
"--enable-authn-anon" \
"--enable-authn-dbm" \
"--enable-auth-digest" \
"--enable-cern-meta" \
"--enable-expires" \
"--enable-headers" \
"--enable-unique_id" \
"--enable-so" \
"--enable-ssl" \
"--with-ssl=/usr/local/ssl" \
"--with-included-apr" \
"$@" 
-----------------------------------------------------------------------------


I added SSLFips On  option in the httpd-ssl.conf file and right now,I do not 
have key files,So,I commented the following lines in the httpd-ssl.conf file;
#SSLCertificateFile "/usr/local/apache/conf/server.crt"
#SSLCertificateKeyFile "/usr/local/apache/conf/server.key"



As far I can see your apache has been compiled with wrong version of openssl:
 "--with-ssl=/usr/local/ssl"

but your openssl fips is installed under
/usr/local/ssl/bin/openssl

so no wonder fips is not working.

 -----------------------------------------------------------------------------
Srinivasa Rao Katta (Contractor)
Unix Administrator
URS Federal Services, Inc
Desk (202)-326-3170<tel:%28202%29-326-3170>
Cell (571)-276-1846<tel:%28571%29-276-1846>
SCSA,SCNA,RHCT
(Sun Certified System and Network Administrator)
(Redhat Certified Technician)
-----------------------------------

RE: [users@httpd] Help Needed

Reply via email to