Bug 1086412 - SSLFIPS option does not operate the same as RHEL httpd
Summary: SSLFIPS option does not operate the same as RHEL httpd
Keywords:
Status: CLOSED EOL
Alias: None
Product: JBoss Enterprise Web Server 2
Classification: JBoss
Component: httpd
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 3.0.0
Assignee: Jean-frederic Clere
QA Contact: Michal Karm Babacek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-04-10 20:18 UTC by Eric Rich
Modified: 2019-06-13 08:19 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Known Issue
Doc Text:
In JBoss Web Server, the SSLFIPS option does not operate as expected. This is a known issue in JBoss Web Server 3 and there is currently no workaround for this problem.
Clone Of:
Environment:
Last Closed: 2019-06-13 08:19:04 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 957026 0 unspecified CLOSED [Doc Bug Fix] Info how to enable FIPS in Apache HTTPd server is missing 2021-02-22 00:41:40 UTC

Internal Links: 957026

Description Eric Rich 2014-04-10 20:18:59 UTC 
Description of problem:

With RHEL 6 configured following: https://access.redhat.com/site/solutions/137833

EWS 2.0 Reports: [notice] SSL FIPS mode disabled
 
Until you turn on the SSLFIPS flag. << I think this is a bug as httpd from RHEL 6 the SSLFIPS option does not work (as described by http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslfips) because "httpd was compiled against an SSL library which did not support the FIPS_mode flag, SSLFIPS on will fail."

With httpd from EWS this setting of the flag works (that is to say it let's you set the flag, and the logs no longer tell you FIPS is disabled). 

 

Version-Release number of selected component (if applicable): 
    RHEL 6 httpd vs RHEL 6 EWS 2.0 httpd

How reproducible: Very


Steps to Reproduce:
1. Install RHEL 6 System
2. # rhnreg_ks --username=USER --password=PASSWORD
3. # yum install dracut-fips
4. # cp /boot/initramfs-*.img /boot/initramfs-nofips-*.img
- Use df /boot to figure out what goes into the boot parameter and append it to the kernel line in /etc/grub.conf.
    kernel /vmlinuz quiet rhgb ... fips=1 boot=/dev/sda1
5. # reboot
6. Check FIPS for the System is enabled
  # cat /proc/sys/crypto/fips_enabled
6. # yum install mod_ssl httpd
7. # openssl req -utf8 -days 365 -out certs/server.crt -key private/server.pass.key 
   # openssl req -new -x509 -key private/server.pass.key -out certs/server.cert.pem -days 365
8. Edit /etc/httpd/conf.d/ssl.conf to match the following:
  81 SSLFIPS on
  ...
  100 #   Server Certificate:
  ...
  105 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt
  106 SSLCertificateFile /etc/pki/tls/certs/server.cert.pem
  ...
  113 #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
  114 SSLCertificateKeyFile /etc/pki/tls/private/server.pass.key
9. # service httpd start
  - Reviewed logs for: [notice] Apache/2.2.15 (Unix) DAV/2 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations

Actual results:

Depending on what you set for Line 81 for step 8. (have it commented out, On or Off) the Logs present different something different for step 9 (with EWS) 

Expected results:

Should work and behave the same was as the RHEL version of httpd.

Additional info:

It should behave this way to comply with the FIPS certification that was gotten. 
- http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1758.pdf
Comment 6 Libor Fuka 2014-06-19 11:09:43 UTC 
I tested configurations and
When i start RHEL6 httpd (service httpd start) with SSLFIPS on it shows:
Starting httpd: Syntax error on line 26 of /etc/httpd/conf.d/ssl.conf:
Invalid command 'SSLFIPS', perhaps misspelled or defined by a module not included in the server configuration
[FAILED]

When i start EWS 2.1.0-ER3 with SSLFIPS on it shows:
[Thu Jun 19 07:03:22 2014] [notice] Apache/2.2.26 (Unix) DAV/2 mod_auth_kerb/5.4 mod_cluster/1.2.9.Final Cova
lentSNMP/2.3.0 mod_ssl/2.2.26 OpenSSL/1.0.1e-fips configured -- resuming normal operations
Comment 7 Libor Fuka 2014-06-19 11:31:13 UTC 
When i start EWS 2.1.0-ER3 with SSLFIPS off it shows:
[Thu Jun 19 07:28:45 2014] [notice] Apache/2.2.26 (Unix) DAV/2 mod_auth_kerb/5.4 mod_cluster/1.2.9.Final Cova
lentSNMP/2.3.0 mod_ssl/2.2.26 OpenSSL/1.0.1e-fips configured -- resuming normal operations

comm #6 and #7 EWS httpd with FIPS enabled in system level (kernel)
Comment 8 Libor Fuka 2014-06-19 12:09:18 UTC 
More testing with EWS 2.1.0-ER3:
FIPS not enabled in system/kernel level

mod_ssl without SSLFIPS directive
Thu Jun 19 08:05:53 2014] [notice] Apache/2.2.26 (Unix) DAV/2 mod_auth_kerb/5.4 mod_cluster/1.2.9.Final Cova
lentSNMP/2.3.0 mod_ssl/2.2.26 OpenSSL/1.0.1e-fips configured -- resuming normal operations

mod_ssl SSLFIPS on
[Thu Jun 19 08:07:10 2014] [notice] Apache/2.2.26 (Unix) DAV/2 mod_auth_kerb/5.4 mod_cluster/1.2.9.Final Cova
lentSNMP/2.3.0 mod_ssl/2.2.26 OpenSSL/1.0.1e-fips configured -- resuming normal operations


mod_ssl SSLFIPS off
[Thu Jun 19 08:08:40 2014] [notice] Apache/2.2.26 (Unix) DAV/2 mod_auth_kerb/5.4 mod_cluster/1.2.9.Final Cova
lentSNMP/2.3.0 mod_ssl/2.2.26 OpenSSL/1.0.1e-fips configured -- resuming normal operations
Comment 12 Misha H. Ali 2014-08-09 04:27:15 UTC 
This one is a bit complicated. Can some clarify the cause of the problem and how it manifests for this bug? Flagging Jean-Frederic but any input from anyone else is also welcome.
Comment 13 Libor Fuka 2014-08-11 13:27:13 UTC 
Doc text: EWS does not support FIPS mode even we set SSLFIPS on in httpd.conf
Is this true ?
Who can answer, Weinan ?
Comment 14 Mandar Joshi 2014-08-11 15:05:44 UTC 
Added the doc text as suggested. Weinan can you please ack?
Comment 15 Michal Karm Babacek 2014-11-06 13:27:57 UTC 
Guys? This one appears to have slipped through the cracks...
Note You need to log in before you can comment on or make changes to this bug.