Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1103136

Summary: New openssl version breaks EWS on RHEL6
Product: [JBoss] JBoss Enterprise Web Server 2 Reporter: Michal Haško <mhasko>
Component: httpd, tomcat6, tomcat7Assignee: Weinan Li <weli>
Status: CLOSED CURRENTRELEASE QA Contact: Michal Karm Babacek <mbabacek>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 2.0.1CC: csutherl, hkario, jclere, jdoyle, jorton, pcheung, pslavice, rsvoboda, smumford
Target Milestone: ---Keywords: Reopened
Target Release: 2.0.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Known Issue
Doc Text:
Cause: The httpd daemon fails to start when FIPS mode is enabled when it attempts to create a temporary RSA key. Consequence: httpd cannot be used in FIPS mode. Workaround (if any): Disable FIPS mode when using httpd. Result:
 Story Points: ---
Clone Of:
: 1103139 (view as bug list) Environment:
Last Closed: 2017-08-09 16:13:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1103139    
Attachments:
Description Flags
tomcat catalina.out
none
httpd error_log none

Description Michal Haško 2014-05-30 11:10:20 UTC 
Description of problem:
There's a new version of openssl in development, which breaks EWS2 on RHEL6. Both tomcat nor httpd are not able able to start.

Version-Release number of selected component (if applicable):
openssl-1.0.1e-16.el6_5.9

How reproducible:
100%

Steps to Reproduce:
1. get a RHEL6 box
2. install openssl-1.0.1e-16.el6_5.9
3. install EWS2 (zip)
4. start tomcat||httpd
Comment 1 Michal Haško 2014-05-30 11:10:48 UTC 
Created attachment 900754 [details]
tomcat catalina.out
Comment 2 Michal Haško 2014-05-30 11:11:18 UTC 
Created attachment 900755 [details]
httpd error_log
Comment 4 Weinan Li 2014-05-30 11:51:10 UTC 
Permaine, could you please have a look on this?
Comment 5 Permaine Cheung 2014-05-30 14:22:41 UTC 
Jean-Frederic, can you please look into this?
Comment 6 Jean-frederic Clere 2014-06-03 15:09:14 UTC 
I have tried with
http://download.devel.redhat.com/devel/candidates/JBEWS/2.1.0.ER1/
++++
[jfclere@neo3 ~]$ rpm -qa | grep openssl
openssl-devel-1.0.1e-16.el6_5.4.x86_64
openssl-1.0.1e-16.el6_5.4.x86_64
++++
Works OK.

Update openssl (yum update openssl):
++++
[jfclere@neo3 tomcat6]$ rpm -qa | grep openssl
openssl-1.0.1e-16.el6_5.7.x86_64
openssl-devel-1.0.1e-16.el6_5.7.x86_64
+++

It seems openssl-1.0.1e-16.el6_5.9 isn't available yet... According to the errata it causes regressions.
Comment 8 Jean-frederic Clere 2014-06-04 14:52:59 UTC 
After quick investigation the fixes in both tomcat-native and httpd are similar in ssl_tmp_key_init_rsa().
- if (FIPS_mode() && bits < 1024) {
+ if (FIPS_mode() && bits < 2048) {

The side effect is that we won't have temporary RSA keys any more.
Comment 9 Jean-frederic Clere 2014-06-05 05:58:11 UTC 
According to Joe we need a bigger patch he is working on it.
Comment 10 Jean-frederic Clere 2014-06-17 06:21:01 UTC 
the errata has been dropped.
Comment 18 Coty Sutherland 2017-08-09 16:13:00 UTC 
Setting this to closed/currentrelease since there is no closed/outdated status.