Re: SSL Library Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test failure (Type=RSA SHA1 X931)

Tue, 12 Aug 2014 23:55:23 -0700

I use the src rpm downloaded from http://koji.fedoraproject.org/koji/buildinfo?buildID=551423 .
Inquired about this issue with one of the package maintainers from koji.fedoraproject.org and following was his comment. 

"Apparently the Known answer test for RSA X9.31 signatures
does not match anymore which is most probably caused by change in
rsa_eay.c introduced in 1.0.1i. The question is whether the change was
wrong or whether the known answer test value in the FIPS selftest is
wrong."

I reverted the file rsa_eay.c to the previous version ( 1.0.1h ) which fixed 
the issue. Just wanted to share this in case if someone else is facing the same 
issue with that src rpm.

Is this safe ?

Regards,
Abdul

On 12-Aug-14 11:37 PM, Dr. Stephen Henson wrote:

On Mon, Aug 11, 2014, Abdul Anshad wrote:


Hello All,

I have a set up which runs Apache http-2.4.10 and Openssl-1.0.1i,
when I try to start the http server with FIPS mode i get the
following error.

[Mon Aug 11 14:39:24.407781 2014] [suexec:notice] [pid 380] AH01232:
suEXEC mechanism enabled (wrapper: /apps/apache/2.4.10/bin/suexec)
[Mon Aug 11 14:39:24.428616 2014] [ssl:emerg] [pid 380] AH01885:
FIPS mode failed
[Mon Aug 11 14:39:24.428656 2014] [ssl:emerg] [pid 380] SSL Library
Error: error:2D06D075:FIPS routines:fips_pkey_signature_test:test
failure (Type=RSA SHA1 X931)
[Mon Aug 11 14:39:24.428663 2014] [ssl:emerg] [pid 380] AH02312:
Fatal error initialising mod_ssl, exiting.
AH00016: Configuration Failed

Could somebody help me out with this issue ? Thanks in advance.


Which version of the validated module are you using?

That's a POST failure. The usual cause of that is a compiler bug.

In the FIPS capable OpenSSL directory (i.e. 1.0.1i in your case) try this:

OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl md5 /dev/null
OPENSSL_FIPS=1 util/shlib_wrap.sh apps/openssl sha1 /dev/null

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org





---
This email is free from viruses and malware because avast! Antivirus protection 
is active.
http://www.avast.com






















					Reply via email to