Just tested against a CentOS 6 box configured to be in FIPS mode at boot as per RH's directions and TCN will not start, tossing the same error I saw before in catalina.out:
Apr 10, 2014 9:01:19 AM org.apache.catalina.core.AprLifecycleListener lifecycleEvent SEVERE: Failed to initialize the SSLEngine. java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:269) at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:108) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:813) at org.apache.catalina.startup.Catalina.load(Catalina.java:538) at org.apache.catalina.startup.Catalina.load(Catalina.java:562) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) Commenting out line 77 (where the 512 bit RSA key is generated) allows TCN to start and run normally. I don't understand all of the FIPS requirements, but should execution be allowed to continue if we can generate *any* of the initial keys rather than requiring all of them? The logic of the macros in lines 68 through 82 wind up causing the SSL_TMP_KEYS_INIT(r) call at line 692 to fire if any key init fails, rather than seeing if at least one passes. I did see in the changelog that BZ 56027 is only partially addressed, in that the fipsModeGet() method is now available. -Rob ________________________________________ From: Robert Sanders [rsand...@trustedcs.com] Sent: Thursday, April 10, 2014 9:15 AM To: Tomcat Developers List Subject: RE: [VOTE] Release Apache Tomcat Native 1.1.30 Is the TCN portion of BZ 56027 address completely or partially with this release? I see the exposure of the FIPS_mode setting, but it looks like the temporary 512 bit RSA key is still being done in the SSL_TMP_KEYS_INIT macro (line 77). When I hacked my workaround eariier this year I had to make sure I didn't call FIPS_mode_set if it was already set and disable the 512 bit key to get TCN to spin up correctly. -Rob ________________________________________ From: Mladen Turk [mt...@apache.org] Sent: Thursday, April 10, 2014 9:01 AM To: dev@tomcat.apache.org Subject: Re: [VOTE] Release Apache Tomcat Native 1.1.30 On 04/10/2014 02:56 PM, Ognjen Blagojevic wrote: > > Tested with Tomcat 8.0.5, Oracle Java 1.7.0_51 on Windows 7 64-bit. > > - Filippo.io [1] reports it is not vulnerable to Heartbleed bug. > > - SSLLabs [2] reports it is not vulnerable to Heartbleed bug. > > - SSLLabs reports that Forward secrecy is enabled when proper cipher suites > (including EECDH/ECDHE) are enabled. > > - Smoke tests of APR, with and without TLS, all passed. > Cool. Thanks -- ^TM --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org