Bug 1071292 - Can't start httpd in FIPS mode with mod_ssl installed
Summary: Can't start httpd in FIPS mode with mod_ssl installed
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: httpd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Web Stack Team
QA Contact: Ondřej Pták
: 1057687 (view as bug list)
Depends On:
Blocks: 1073078 1073081 1100680 1180223
TreeView+ depends on / blocked
Reported: 2014-02-28 12:53 UTC by Hubert Kario
Modified: 2019-10-10 09:15 UTC (History)
4 users (show)

Fixed In Version: httpd-2.4.6-16.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1080599 1100680 (view as bug list)
Last Closed: 2014-06-13 12:55:53 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Bugzilla 1057687 None CLOSED Custom/big DH parameters not supported 2019-01-08 11:55:17 UTC

Internal Links: 1057687

Description Hubert Kario 2014-02-28 12:53:55 UTC
Description of problem:
httpd does not start in FIPS mode with mod_ssl installed.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Start system in FIPS mode
2. Install mod_ssl
3. Generate self-signed keys:
   openssl req -x509 -newkey rsa -keyout server.key -out server.crt -subj /CN=localhost -nodes -batch
4. Copy to default location for httpd keys:
   cp server.key /etc/pki/tls/private/localhost.key
   cp server.crt /etc/pki/tls/certs/localhost.crt
5. Start service:
   systemct start httpd

Actual results:
# systemctl status httpd.service
httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled)
   Active: failed (Result: exit-code) since Fri 2014-02-28 07:42:33 EST; 8s ago
  Process: 19676 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
  Process: 19675 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
 Main PID: 19675 (code=exited, status=1/FAILURE)

Feb 28 07:42:33 pes-guest-66.lab.eng.brq.redhat.com systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Feb 28 07:42:33 pes-guest-66.lab.eng.brq.redhat.com systemd[1]: Failed to start The Apache HTTP Server.
Feb 28 07:42:33 pes-guest-66.lab.eng.brq.redhat.com systemd[1]: Unit httpd.service entered failed state.

# less /var/log/httpd/error_log
[Fri Feb 28 07:42:33.806710 2014] [core:notice] [pid 19675] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Fri Feb 28 07:42:33.808808 2014] [suexec:notice] [pid 19675] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Feb 28 07:42:33.809829 2014] [ssl:error] [pid 19675] AH01878: Init: Failed to generate temporary 1024 bit RSA private key
[Fri Feb 28 07:42:33.809878 2014] [ssl:error] [pid 19675] SSL Library Error: error:2D07406D:FIPS routines:RSA_BUILTIN_KEYGEN:invalid key length
AH00016: Configuration Failed

Expected results:
Apache started

Additional info:
Probably caused by newly introduced limits in FIPS mode that disallow DH params below 2048 bit

Marking as regression since mod_ssl works in FIPS mode on RHEL 6

Comment 8 Joe Orton 2014-03-06 11:53:54 UTC
*** Bug 1057687 has been marked as a duplicate of this bug. ***

Comment 9 Ondřej Pták 2014-03-07 13:24:36 UTC
verified on x86_64 and ppc64 by:
    * /CoreOS/httpd/Sanity/mod_ssl-smoke
    * /CoreOS/httpd/Library/http (selftest)
    * /CoreOS/httpd/Regression/bz1057687-Custom-big-DH-parameters-not-supported

Comment 10 Ludek Smid 2014-06-13 12:55:53 UTC
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.

Note You need to log in before you can comment on or make changes to this bug.