Description of problem: With RHEL 6 configured following: https://access.redhat.com/site/solutions/137833 EWS 2.0 Reports: [notice] SSL FIPS mode disabled Until you turn on the SSLFIPS flag. << I think this is a bug as httpd from RHEL 6 the SSLFIPS option does not work (as described by http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslfips) because "httpd was compiled against an SSL library which did not support the FIPS_mode flag, SSLFIPS on will fail." With httpd from EWS this setting of the flag works (that is to say it let's you set the flag, and the logs no longer tell you FIPS is disabled). Version-Release number of selected component (if applicable): RHEL 6 httpd vs RHEL 6 EWS 2.0 httpd How reproducible: Very Steps to Reproduce: 1. Install RHEL 6 System 2. # rhnreg_ks --username=USER --password=PASSWORD 3. # yum install dracut-fips 4. # cp /boot/initramfs-*.img /boot/initramfs-nofips-*.img - Use df /boot to figure out what goes into the boot parameter and append it to the kernel line in /etc/grub.conf. kernel /vmlinuz quiet rhgb ... fips=1 boot=/dev/sda1 5. # reboot 6. Check FIPS for the System is enabled # cat /proc/sys/crypto/fips_enabled 6. # yum install mod_ssl httpd 7. # openssl req -utf8 -days 365 -out certs/server.crt -key private/server.pass.key # openssl req -new -x509 -key private/server.pass.key -out certs/server.cert.pem -days 365 8. Edit /etc/httpd/conf.d/ssl.conf to match the following: 81 SSLFIPS on ... 100 # Server Certificate: ... 105 #SSLCertificateFile /etc/pki/tls/certs/localhost.crt 106 SSLCertificateFile /etc/pki/tls/certs/server.cert.pem ... 113 #SSLCertificateKeyFile /etc/pki/tls/private/localhost.key 114 SSLCertificateKeyFile /etc/pki/tls/private/server.pass.key 9. # service httpd start - Reviewed logs for: [notice] Apache/2.2.15 (Unix) DAV/2 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips configured -- resuming normal operations Actual results: Depending on what you set for Line 81 for step 8. (have it commented out, On or Off) the Logs present different something different for step 9 (with EWS) Expected results: Should work and behave the same was as the RHEL version of httpd. Additional info: It should behave this way to comply with the FIPS certification that was gotten. - http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1758.pdf
I tested configurations and When i start RHEL6 httpd (service httpd start) with SSLFIPS on it shows: Starting httpd: Syntax error on line 26 of /etc/httpd/conf.d/ssl.conf: Invalid command 'SSLFIPS', perhaps misspelled or defined by a module not included in the server configuration [FAILED] When i start EWS 2.1.0-ER3 with SSLFIPS on it shows: [Thu Jun 19 07:03:22 2014] [notice] Apache/2.2.26 (Unix) DAV/2 mod_auth_kerb/5.4 mod_cluster/1.2.9.Final Cova lentSNMP/2.3.0 mod_ssl/2.2.26 OpenSSL/1.0.1e-fips configured -- resuming normal operations
When i start EWS 2.1.0-ER3 with SSLFIPS off it shows: [Thu Jun 19 07:28:45 2014] [notice] Apache/2.2.26 (Unix) DAV/2 mod_auth_kerb/5.4 mod_cluster/1.2.9.Final Cova lentSNMP/2.3.0 mod_ssl/2.2.26 OpenSSL/1.0.1e-fips configured -- resuming normal operations comm #6 and #7 EWS httpd with FIPS enabled in system level (kernel)
More testing with EWS 2.1.0-ER3: FIPS not enabled in system/kernel level mod_ssl without SSLFIPS directive Thu Jun 19 08:05:53 2014] [notice] Apache/2.2.26 (Unix) DAV/2 mod_auth_kerb/5.4 mod_cluster/1.2.9.Final Cova lentSNMP/2.3.0 mod_ssl/2.2.26 OpenSSL/1.0.1e-fips configured -- resuming normal operations mod_ssl SSLFIPS on [Thu Jun 19 08:07:10 2014] [notice] Apache/2.2.26 (Unix) DAV/2 mod_auth_kerb/5.4 mod_cluster/1.2.9.Final Cova lentSNMP/2.3.0 mod_ssl/2.2.26 OpenSSL/1.0.1e-fips configured -- resuming normal operations mod_ssl SSLFIPS off [Thu Jun 19 08:08:40 2014] [notice] Apache/2.2.26 (Unix) DAV/2 mod_auth_kerb/5.4 mod_cluster/1.2.9.Final Cova lentSNMP/2.3.0 mod_ssl/2.2.26 OpenSSL/1.0.1e-fips configured -- resuming normal operations
This one is a bit complicated. Can some clarify the cause of the problem and how it manifests for this bug? Flagging Jean-Frederic but any input from anyone else is also welcome.
Doc text: EWS does not support FIPS mode even we set SSLFIPS on in httpd.conf Is this true ? Who can answer, Weinan ?
Added the doc text as suggested. Weinan can you please ack?
Guys? This one appears to have slipped through the cracks...