Bug 1386282

Summary: OpenSSL 1.0.2h stalls startup of httpd when FIPS enabled
Product: [JBoss] JBoss Enterprise Web Server 2 Reporter: Robert Bost <rbost>
Component: opensslAssignee: George Zaronikas <gzaronik>
Status: CLOSED WONTFIX QA Contact: Michal Karm Babacek <mbabacek>
Severity: high Docs Contact:
Priority: unspecified    
Version: 2.1.1CC: jclere, jdoyle, jstefl, mbabacek, twalsh
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-13 12:20:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Robert Bost 2016-10-18 14:36:26 UTC 
Description of problem: On a RHEL 6 server with FIPS enabled, startup of httpd stalls and pstack reveals openssl hanging.


Version-Release number of selected component (if applicable):
httpd-2.2.26-55.ep6.el6.x86_64
jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
[root@localhost ~]# sysctl crypto.fips_enabled
crypto.fips_enabled = 1

[root@localhost ~]# service httpd start 
Starting httpd: <CTRL+Z>
[1]+  Stopped                 service httpd start

[root@localhost ~]# bg
[1]+ service httpd start &

[root@localhost ~]# ps aux | grep httpd
root      1998  0.0  0.1 106376  1660 ttyS0    S    10:32   0:00 /bin/sh /sbin/service httpd start
root      2005  0.0  0.1 108484  1796 ttyS0    S    10:32   0:00 /bin/bash /etc/init.d/httpd start
root      2012  0.0  0.1  11348  1192 ttyS0    S    10:32   0:00 /bin/bash -c ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/httpd
root      2013  0.2  0.6 162392  6372 ttyS0    S    10:32   0:00 /usr/sbin/httpd
root      2015  0.0  0.0 103320   840 ttyS0    S+   10:32   0:00 grep httpd

[root@localhost ~]# pstack 2013
#0  0x00007fa59c0fd334 in __lll_lock_wait () from /lib64/libpthread.so.0
#1  0x00007fa59c0f85d8 in _L_lock_854 () from /lib64/libpthread.so.0
#2  0x00007fa59c0f84a7 in pthread_mutex_lock () from /lib64/libpthread.so.0
#3  0x00007fa594ebc03e in fips_drbg_status () from /opt/rh/jbcs-httpd24/root/usr/lib64/libcrypto.so.10
#4  0x00007fa594e3f259 in drbg_rand_add () from /opt/rh/jbcs-httpd24/root/usr/lib64/libcrypto.so.10
#5  0x00007fa594e3fd67 in RAND_poll () from /opt/rh/jbcs-httpd24/root/usr/lib64/libcrypto.so.10
#6  0x00007fa594e3e93a in ssleay_rand_bytes () from /opt/rh/jbcs-httpd24/root/usr/lib64/libcrypto.so.10
#7  0x00007fa594e3f403 in drbg_get_entropy () from /opt/rh/jbcs-httpd24/root/usr/lib64/libcrypto.so.10
#8  0x00007fa594ebb53c in fips_get_entropy () from /opt/rh/jbcs-httpd24/root/usr/lib64/libcrypto.so.10
#9  0x00007fa594ebba12 in drbg_reseed () from /opt/rh/jbcs-httpd24/root/usr/lib64/libcrypto.so.10
#10 0x00007fa594e3f319 in drbg_rand_seed () from /opt/rh/jbcs-httpd24/root/usr/lib64/libcrypto.so.10
#11 0x00007fa5953f8544 in ssl_rand_feedfp () from /etc/httpd/modules/mod_ssl.so
#12 0x00007fa5953f8847 in ssl_rand_seed () from /etc/httpd/modules/mod_ssl.so
#13 0x00007fa5953f0ca2 in ssl_init_Module () from /etc/httpd/modules/mod_ssl.so
#14 0x00007fa59d84e469 in ap_run_post_config ()
#15 0x00007fa59d839b48 in main ()


Actual results: httpd stalls on startup


Expected results: httpd starts


Additional info:
Similar issue was reported for RHEL 6's openssl:

https://bugzilla.redhat.com/show_bug.cgi?id=999852
https://access.redhat.com/solutions/1201563
Comment 6 Jean-frederic Clere 2016-10-19 09:45:10 UTC 
JWS-3.1,  JBCS-httpd2.4.23 and EWS-2.1.2 are using upstream openssl-1.0.2h and FIPS isn't supported here :-(