Bug 773473

Summary: [RHEL 5.7] Apache HTTP Server cannot start with mod_ssl when FIPS 140-2 mode enabled
Product: Red Hat Enterprise Linux 5 Reporter: Jason A. Beranek <jason.beranek>
Component: httpdAssignee: Joe Orton <jorton>
Status: CLOSED ERRATA QA Contact: Aleš Mareček <amarecek>
Severity: high Docs Contact:
Priority: high    
Version: 5.9CC: amarecek, jkaluza, jwest, mmatsuya, prc, rsawhill, sgrubb
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: httpd-2.2.3-66 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-01-08 05:04:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 803893    

Description Jason A. Beranek 2012-01-11 22:14:34 UTC 
Description of problem:
When running RHEL 5.7 x86_64 with FIPS 140-2 mode enabled, Apache HTTP Server fails to start if mod_ssl is enabled.

Version-Release number of selected component (if applicable):
httpd-2.2.3-53.el5_7.3.x86_64.rpm
mod_ssl-2.2.3-53.el5_7.3.x86_64.rpm

How reproducible:
Consistently reproduced

Steps to Reproduce:
1.Install httpd and mod_ssl via "yum install httpd mod_ssl"
2.Complete the steps described to place RHEL 5 in FIPS mode (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1320.pdf)
3.Restart the system
4.Start the httpd service via "/sbin/service httpd start"
  
Actual results

httpd fails to start, indicating only "Failure" from the start script. 

Expected results:

httpd starts successfully

Additional info:

The error appears to be caused by the httpd and mod_ssl packages being out of synch with the upstream Apache HTTP Server project. FIPS 140-2 support was added to mod_ssl in Apache 2.2.x with revision 963430 (http://svn.apache.org/viewvc?view=revision&revision=963430), and released as part of Apache HTTP Server 2.2.17. The changes provided by this revision have not been migrated into the RHEL 5.7 httpd SRPM.

The following is a brief description of the troubleshooting process that led to the conclusion above.

After httpd fails to start, the /var/log/httpd/error_log indicates the following information:

  Init: Failed to generate temporary 512 bit RSA private key
  Configuration failed

Attempted applying fixes for this error message documented on the internet, but those did not resolve the issue.

Attempted to create a 512 bit RSA key independant of mod_ssl to see if error originated from OpenSSL. The "openssl genrsa 512" command failed with the error "FIPS routines:RSA_BUILTIN_KEYGEN:key too short". 

Reviewed the httpd SRPM, found the source for the error message above in modules/ssl/ssl_engine_init.c. Observed this code attempts to create a 512 bit RSA key using OpenSSL, and if that creation fails Apache HTTP Server startup fails. Reviewed upstream Apache project SVN versions of ssl_engine_init.c, and found that the upstream version included a flag to indicate FIPS mode. When enabled, ssl_engine_init.c skips creating any RSA or DH keys smaller than 1024 in accordance with the FIPS 140-2 mode. Tracked origin of this change to revision 963430, first released as part of Apache HTTP Server 2.2.17.
Comment 1 Joe Orton 2012-01-12 11:56:07 UTC 
Thanks for the report.
Comment 5 RHEL Program Management 2012-04-19 11:50:29 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 11 errata-xmlrpc 2013-01-08 05:04:03 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0130.html