I believe this was due to static linking against OpenSSL. Static linking was chosen to avoid DLL hell (and other preload problems) on platforms like Ubuntu. On Ubuntu 12.04 LTS and friends, the platform provides OpenSSL 1.0.1e but disables TLSv1.1 and TLSv1.2.
On Fri, Dec 20, 2013 at 2:17 PM, Jeffrey Walton <noloa...@gmail.com> wrote: > I'm testing the FIPS Capable OpenSSL library with nginx. nginx start a > master process which calls: > > SSL_library_init(); > SSL_load_error_strings(); > OpenSSL_add_all_algorithms(); > > The master then starts a number of child processes. It does so by > forking without an exec (if I am reading the source code properly). > The master process does *not* install OpenSSL static locks, but nginx > not multi-threaded. > > When operating in non-FIPS mode, SSL/TLS connections proceed as > expected when connecting to https://localhost during testing (but > testing is very limited, and I have not load tested with a tool like > Apache's 'ab' ). > > When operating in FIPS mode, the following occurs during a connection > to https://localhost: > > <nginx log> > 2013/12/20 13:57:13 [crit] 8123#0: *1 SSL_do_handshake() failed (SSL: > error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed > error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed > error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed > error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed > error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed > error:2D09E086:FIPS routines:FIPS_digestfinal:selftest failed > error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed > error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed > error:2D09F086:FIPS routines:FIPS_digestupdate:selftest failed > error:2D09E086:FIPS routines:FIPS_digestfinal:selftest failed > error:04075083:rsa routines:RSA_sign:invalid message length > error:1409B004:SSL routines:SSL3_SEND_SERVER_KEY_EXCHANGE:RSA lib) > while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:443 > </nginx log> > > SSL3_SEND_SERVER_KEY_EXCHANGE is a puzzling failure since it appears > to be DTLS related. I'm begin to wonder if the forks are causing > trouble for OpenSSL when operating in FIPS mode. > > Does anyone have any ideas for troubleshooting the issue? > > Thanks in advance. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
