RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1071292 - Can't start httpd in FIPS mode with mod_ssl installed
Summary: Can't start httpd in FIPS mode with mod_ssl installed
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: httpd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: Luboš Uhliarik
QA Contact: Ondřej Pták
URL:
Whiteboard:
: 1057687 (view as bug list)
Depends On:
Blocks: 1073078 1073081 1100680 1180223
TreeView+ depends on / blocked
 
Reported: 2014-02-28 12:53 UTC by Hubert Kario
Modified: 2021-01-14 09:32 UTC (History)
4 users (show)

Fixed In Version: httpd-2.4.6-16.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1080599 1100680 (view as bug list)
Environment:
Last Closed: 2014-06-13 12:55:53 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1057687 0 urgent CLOSED Custom/big DH parameters not supported 2021-02-22 00:41:40 UTC

Internal Links: 1057687

Description Hubert Kario 2014-02-28 12:53:55 UTC 
Description of problem:
httpd does not start in FIPS mode with mod_ssl installed.

Version-Release number of selected component (if applicable):
mod_ssl-2.4.6-14.el7.x86_64
httpd-2.4.6-14.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Start system in FIPS mode
2. Install mod_ssl
3. Generate self-signed keys:
   openssl req -x509 -newkey rsa -keyout server.key -out server.crt -subj /CN=localhost -nodes -batch
4. Copy to default location for httpd keys:
   cp server.key /etc/pki/tls/private/localhost.key
   cp server.crt /etc/pki/tls/certs/localhost.crt
5. Start service:
   systemct start httpd

Actual results:
# systemctl status httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: failed (Result: exit-code) since Fri 2014-02-28 07:42:33 EST; 8s ago
  Process: 19676 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
  Process: 19675 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 19675 (code=exited, status=1/FAILURE)

Feb 28 07:42:33 pes-guest-66.lab.eng.brq.redhat.com systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Feb 28 07:42:33 pes-guest-66.lab.eng.brq.redhat.com systemd[1]: Failed to start The Apache HTTP Server.
Feb 28 07:42:33 pes-guest-66.lab.eng.brq.redhat.com systemd[1]: Unit httpd.service entered failed state.

# less /var/log/httpd/error_log
[Fri Feb 28 07:42:33.806710 2014] [core:notice] [pid 19675] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Fri Feb 28 07:42:33.808808 2014] [suexec:notice] [pid 19675] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Feb 28 07:42:33.809829 2014] [ssl:error] [pid 19675] AH01878: Init: Failed to generate temporary 1024 bit RSA private key
[Fri Feb 28 07:42:33.809878 2014] [ssl:error] [pid 19675] SSL Library Error: error:2D07406D:FIPS routines:RSA_BUILTIN_KEYGEN:invalid key length
AH00016: Configuration Failed

Expected results:
Apache started

Additional info:
Probably caused by newly introduced limits in FIPS mode that disallow DH params below 2048 bit

Marking as regression since mod_ssl works in FIPS mode on RHEL 6
Comment 8 Joe Orton 2014-03-06 11:53:54 UTC 
*** Bug 1057687 has been marked as a duplicate of this bug. ***
Comment 9 Ondřej Pták 2014-03-07 13:24:36 UTC 
verified on x86_64 and ppc64 by:
    * /CoreOS/httpd/Sanity/mod_ssl-smoke
    * /CoreOS/httpd/Library/http (selftest)
    * /CoreOS/httpd/Regression/bz1057687-Custom-big-DH-parameters-not-supported
Comment 10 Ludek Smid 2014-06-13 12:55:53 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.