----- "Dwight P CTR DISA PAC Victor" <dwight.victor....@disa.mil> wrote:
> Classification: UNCLASSIFIED > Caveats: NONE > > Related? > http://rt.openssl.org/Ticket/Display.html?id=1278&user=guest&pass=guest > > --- > Dwight Victor (Contractor), CISSP, RHCT, SCSECA > DISA-PAC EMSS Gateway Hawaii > EMAIL: dwight.victor....@disa.mil > TEL: (808) 653-3677 ext 229 > > -----Original Message----- > From: ja...@nixsecurity.org [mailto:ja...@nixsecurity.org] > Sent: Thursday, November 11, 2010 9:01 AM > To: users@httpd.apache.org > Subject: [us...@httpd] SSLFIPS Directive > > Apache 2.2.17 > OpenSSL 0.9.8n FIPS > PHP 5.3.2 > libssh2 1.2.6 > > So, I have a web application where the front-end is Flex/AS3 and the > back-end is a mix of PHP/C. PHP is compiled with the libssh2 library > and the pecl extension to enable the ssh2 functionality. I use the > ssh2 functions within PHP for communication between systems. For > instance, the interface allows you to add another product of ours for > communication with our primary product. Communication works via SSH, > I'm not going to get into the details of that. Anyway, what happens > when I introduce the SSLFIPS directive into my httpd.conf, apache > child processes are crashing. This happens even if the directive's > value is set to off. However, if I don't introduce the directive, > everything works as expected. > > We are required by government customers to offer FIPS. > > [Thu Nov 11 13:50:43 2010] [notice] Operating in SSL FIPS mode > [Thu Nov 11 13:50:43 2010] [error] Init: Skipping generating temporary > 512 bit RSA private key in FIPS mode > [Thu Nov 11 13:50:43 2010] [error] Init: Skipping generating temporary > 512 bit DH parameters in FIPS mode > [Thu Nov 11 13:50:43 2010] [notice] Apache/2.2.17 (Unix) > mod_ssl/2.2.17 OpenSSL/0.9.8o-fips configured -- resuming normal > operations > digest.c(151): OpenSSL internal error, assertion failed: Digest update > previous FIPS forbidden algorithm error ignored > digest.c(151): OpenSSL internal error, assertion failed: Digest update > previous FIPS forbidden algorithm error ignored > [Thu Nov 11 13:50:58 2010] [notice] child pid 24913 exit signal > Aborted (6) > [Thu Nov 11 13:50:58 2010] [notice] child pid 24915 exit signal > Aborted (6) Can you get us a coredump/back-trace of the children which are dying? How, exactly, have you compiled/linked the PECL extensions vs mod_ssl? > Any thoughts? If all else fails: Run PHP in the backend, and the SSL termination in a proxy. i -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.ga...@brainsware.org URL: http://brainsware.org/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
