FIPS Capable Library, 2D09F086 error, 1409B004 error, and SSL3_SEND_SERVER_KEY_EXCHANGE failure?

Fri, 20 Dec 2013 12:26:56 -0800 

I'm testing the FIPS Capable OpenSSL library with nginx. nginx start a
master process which calls:

    SSL_library_init();
    SSL_load_error_strings();
    OpenSSL_add_all_algorithms();

The master then starts a number of child processes. It does so by
forking without an exec (if I am reading the source code properly).
The master process does *not* install OpenSSL static locks, but nginx
not multi-threaded.

When operating in non-FIPS mode, SSL/TLS connections proceed as
expected when connecting to https://localhost during testing (but
testing is very limited, and I have not load tested with a tool like
Apache's 'ab' ).

When operating in FIPS mode, the following occurs during a connection
to https://localhost:

<nginx log>
2013/12/20 13:57:13 [crit] 8123#0: *1 SSL_do_handshake() failed (SSL:
error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed
error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed
error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed
error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed
error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed
error:2D09E086:FIPS routines:FIPS_digestfinal:selftest failed
error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed
error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed
error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed
error:2D09E086:FIPS routines:FIPS_digestfinal:selftest failed
error:04075083:rsa routines:RSA_sign:invalid message length
error:1409B004:SSL routines:SSL3_SEND_SERVER_KEY_EXCHANGE:RSA lib)
while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:443
</nginx log>

SSL3_SEND_SERVER_KEY_EXCHANGE is a puzzling failure since it appears
to be DTLS related. I'm begin to wonder if the forks are causing
trouble for OpenSSL when operating in FIPS mode.

Does anyone have any ideas for troubleshooting the issue?

Thanks in advance.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to