> > I'm fairly confident that the OpenSSL library I'm using is valid and > > uncorrupted (I've used a couple different copies: an existing set of > > binaries being used successfully in another product internally, and a > > newly built version which I have successfully used the openssl utility > > against, without error). > > Can you write a simple C program to link against OpenSSL and try to start it > in > FIPS mode? Does that work without error? Feel free to just steal code from > tcnative to put-together a Frankenstein's monster of code just to see if it > works.
I've done so, and verified that my OpenSSL build seems to be working correctly, both in FIPS mode and not. My test program creates SHA-1 and MD5 hashes of a simple string value. With FIPS mode off, both hashes are returned. With FIPS mode on, the SHA-1 hash is returned, and the MD5 hash generates the expected "disabled for fips" error. There was no error at the point of FIPS_mode_set(1), which seems to indicate that the self tests passed. This matches what I saw when I used the openssl.exe utility that was compiled with OpenSSL (version OpenSSL 1.0.1c-fips 10 May 2012). Using this same OpenSSL build in tcnative, however, results in the fingerprint error when Tomcat starts up with FIPS mode enabled. > > My assumption is that I'm not building/linking OpenSSL correctly into > > tcnative. > > ...and you are building tcnative by hand because the OpenSSL Tomcat > provides is not build with FIPS compatibility, right? You will have to make > sure > you have a FIPS-compatible OpenSSL (please post the result of "openssl.exe > version") and you will definitely have to re-build tcnative against it because > otherwise all the FIPS stuff will generate errors before even trying to call > FIPS_mode_set on OpenSSL. Correct. I get the expected "FIPS not available" error when I turn on FIPS mode using the stock tcnative-1.dll library that comes with Tomcat. The FIPS-compatible OpenSSL build I have reports as "OpenSSL 1.0.1c-fips 10 May 2012". > I notice that Tomcat distributes openssl.exe and not openssl.dll (or similar). > Are you building openssl.exe or openssl.dll when you build OpenSSL? Building OpenSSL on Windows results in three distributable files: libeay32.dll, ssleay32.dll, and openssl.exe. I copy the first two into Tomcat\bin, along with tcnative-1.dll, in order to make OpenSSL available to tcnative. It also results in libeay32.lib and ssleay32.lib, which are used in the tcnative compile process. --Steve Nickels Ipswitch, Inc. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
