I'm testing the FIPS Capable OpenSSL library with nginx. nginx start a master process which calls:
SSL_library_init(); SSL_load_error_strings(); OpenSSL_add_all_algorithms(); The master then starts a number of child processes. It does so by forking without an exec (if I am reading the source code properly). The master process does *not* install OpenSSL static locks, but nginx not multi-threaded. When operating in non-FIPS mode, SSL/TLS connections proceed as expected when connecting to https://localhost during testing (but testing is very limited, and I have not load tested with a tool like Apache's 'ab' ). When operating in FIPS mode, the following occurs during a connection to https://localhost: <nginx log> 2013/12/20 13:57:13 [crit] 8123#0: *1 SSL_do_handshake() failed (SSL: error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed error:2D09E086:FIPS routines:FIPS_digestfinal:selftest failed error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed error:2D09E086:FIPS routines:FIPS_digestfinal:selftest failed error:04075083:rsa routines:RSA_sign:invalid message length error:1409B004:SSL routines:SSL3_SEND_SERVER_KEY_EXCHANGE:RSA lib) while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:443 </nginx log> SSL3_SEND_SERVER_KEY_EXCHANGE is a puzzling failure since it appears to be DTLS related. I'm begin to wonder if the forks are causing trouble for OpenSSL when operating in FIPS mode. Does anyone have any ideas for troubleshooting the issue? Thanks in advance. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org