Trying to understand FIPS mode status in mod_ssl
My search has identified that: - OpenSSL FIPS Object Model 1.1 is compatible with OpenSSL v0.9.7, v0.9.7m above and was validated against FIPS 140-2 by 11/16/07 and that OpenSSL FIPS Object Model 1.2 validation was pending and would be compatible with an as yet unreleased OpenSSL v0.9..8 (OpenSSL FIPS FAQ- 11/16/07; http://www.oss-institute.org/fips-faq.html) - on 2/6/08, Object Module v1.1.2 was validated (removing a vulnerabilty in OM v1.1.1) (http://www.oss-institute.org/index.php?option=com_contenttask=viewid= 264Itemid=160) - in an OSSI announcement about the OpenCrypto Management Program they stated that Phase I was complete and Phase II was underway. (no version number was given for the Object Model that was validated in Phase I, but the implication is that 1.1 was validated and 1.2 is still not validated?) There was also a paragraph for each of several major projects using OpenSSL; Apache httpd 2.x mod_ssl was identified as not currently supporting FIPS mode. (http://www.oss-institute.org/index.php?option=com_contenttask=viewid= 215Itemid=160) - back in 2005, there was a branch in the Apache httpd repository for fips-dev. According to the README, Ben Laurie Will Rowe were working on this. I found no indications that this work was completed and/or moved into the trunk. I cannot find the branch in the repository now. - last November, there was an enhancement record filed in the AFS Bugzilla with a patch for OpenSSL autoconfig support for mod_ssl. My simplistic interpretation of the description is that this could enable FIPS mode via a configuration file. (https://issues.apache.org/bugzilla/show_bug.cgi?id=43931) I found several postings to mail lists and discussion lists asking about FIPS support in Apache httpd from earlier this year. Unfortunately, there were no responses that I could find. Is anyone currently working with OSSI to support FIPS mode in Apache httpd 2.x? Has anyone looked at or applied the patch provided in 43931? Does that patch provide everything needed to enable FIPS mode from mod_ssl, or are additional code changes needed? Thanks! .Tim Tim D. Hammer Software Developer Xerox Office Group Xerox Corporation M/S 0801-80A 1350 Jefferson Road Rochester, NY 14623 Phone: 585/427-1684 Fax: 585/427-3404 Mail: [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
RE: (resend) RE: mod_ssl
On Thu, Dec 13, 2007 at 09:50:46PM -0500, Hammer, Tim wrote: I am attempting to upgrade httpd from 1.3.x to 2.2.x for our web application. I have managed to get everything building and working, ... As you can see, the call from mod_ssl.so into the buckets/ code is passing a null pointer. None of our other modules have been modified to use buckets. Does mod_ssl require the use of buckets? Are you trying to port mod_ssl from 1.3.x to 2.2.x? That's been done long ago and 2.x includes a port of mod_ssl. No, I am trying to use the new (2.2.x) mod_ssl with our modules that have been ported from 1.3.x to 2.2.x. However, the port did not convert our modules to use buckets and I am wondering if the new mod_ssl is requiring the content generator(s) (our modules) to have created a brigade. vh Mads Toftum .Tim Xerox Corporation, Office Group Phone: 585/427-1684 Fax: 585/427-3244 Email: [EMAIL PROTECTED] Addr: M/S 0801-80A 1350 Jefferson Road Rochester, NY 14623 This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s) please contact the sender by reply e-mail and destroy all copies of the original message. Thank you.
RE: (resend) RE: mod_ssl
On Fri, Dec 14, 2007 at 11:01:09AM -0500, Hammer, Tim wrote: No, I am trying to use the new (2.2.x) mod_ssl with our modules that have been ported from 1.3.x to 2.2.x. However, the port did not convert our modules to use buckets and I am wondering if the new mod_ssl is requiring the content generator(s) (our modules) to have created a brigade. Ah. And everything works when mod_ssl is left out? Yes. .Tim Xerox Corporation, Office Group Phone: 585/427-1684 Fax: 585/427-3244 Email: [EMAIL PROTECTED] Addr: M/S 0801-80A 1350 Jefferson Road Rochester, NY 14623 This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s) please contact the sender by reply e-mail and destroy all copies of the original message. Thank you.
(resend) RE: mod_ssl
Is there no one with any info or did I not ask my question in a proper manner? Could someone at least acknowledge that this message is seen? I am attempting to upgrade httpd from 1.3.x to 2.2.x for our web application. I have managed to get everything building and working, except SSL support. mod_ssl.so seems to load alright, but at some point I get a core dump (one occurred during startup/initialization I think, but I do get servers running; however, when I try to access a page from a browser, everything dumps again). All of the core dumps look the same: Program terminated with signal 11, Segmentation fault. #0 apr_bucket_shared_destroy (data=0x0) at buckets/apr_buckets_refcount.c:47 47 buckets/apr_buckets_refcount.c: No such file or directory. in buckets/apr_buckets_refcount.c (gdb) bt #0 apr_bucket_shared_destroy (data=0x0) at buckets/apr_buckets_refcount.c:47 #1 0xb7fc9b61 in heap_bucket_destroy (data=0x0) at buckets/apr_buckets_heap.c:35 #2 0xb7f67579 in bio_filter_in_read () from /usr/local/apache2/modules/mod_ssl.so #3 0x000b in ?? () from /lib/libm.so.6 As you can see, the call from mod_ssl.so into the buckets/ code is passing a null pointer. None of our other modules have been modified to use buckets. Does mod_ssl require the use of buckets? Thanks for any info! .Tim Xerox Corporation, Office Group Phone: 585/427-1684 Fax: 585/427-3244 Email: [EMAIL PROTECTED] Addr: M/S 0801-80A 1350 Jefferson Road Rochester, NY 14623 This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s) please contact the sender by reply e-mail and destroy all copies of the original message. Thank you.
mod_ssl
I am attempting to upgrade httpd from 1.3.x to 2.2.x for our web application. I have managed to get everything building and working, except SSL support. mod_ssl.so seems to load alright, but at some point I get a core dump (one occurred during startup/initialization I think, but I do get servers running; however, when I try to access a page from a browser, everything dumps again). All of the core dumps look the same: Program terminated with signal 11, Segmentation fault. #0 apr_bucket_shared_destroy (data=0x0) at buckets/apr_buckets_refcount.c:47 47 buckets/apr_buckets_refcount.c: No such file or directory. in buckets/apr_buckets_refcount.c (gdb) bt #0 apr_bucket_shared_destroy (data=0x0) at buckets/apr_buckets_refcount.c:47 #1 0xb7fc9b61 in heap_bucket_destroy (data=0x0) at buckets/apr_buckets_heap.c:35 #2 0xb7f67579 in bio_filter_in_read () from /usr/local/apache2/modules/mod_ssl.so #3 0x000b in ?? () from /lib/libm.so.6 As you can see, the call from mod_ssl.so into the buckets/ code is passing a null pointer. None of our other modules have been modified to use buckets. Does mod_ssl require the use of buckets? Thanks for any info! .Tim Xerox Corporation, Office Group Phone: 585/427-1684 Fax: 585/427-3244 Email: [EMAIL PROTECTED] Addr: M/S 0801-80A 1350 Jefferson Road Rochester, NY 14623 This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient(s) please contact the sender by reply e-mail and destroy all copies of the original message. Thank you.