Bug 1386282 - OpenSSL 1.0.2h stalls startup of httpd when FIPS enabled
Summary: OpenSSL 1.0.2h stalls startup of httpd when FIPS enabled
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: JBoss Enterprise Web Server 2
Classification: JBoss
Component: openssl
Version: 2.1.1
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: ---
Assignee: George Zaronikas
QA Contact: Michal Karm Babacek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-10-18 14:36 UTC by Robert Bost
Modified: 2019-12-16 07:09 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-13 12:20:05 UTC
Type: Bug

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Robert Bost 2016-10-18 14:36:26 UTC 
Description of problem: On a RHEL 6 server with FIPS enabled, startup of httpd stalls and pstack reveals openssl hanging.


Version-Release number of selected component (if applicable):
httpd-2.2.26-55.ep6.el6.x86_64
jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
[root@localhost ~]# sysctl crypto.fips_enabled
crypto.fips_enabled = 1

[root@localhost ~]# service httpd start 
Starting httpd: <CTRL+Z>
[1]+  Stopped                 service httpd start

[root@localhost ~]# bg
[1]+ service httpd start &

[root@localhost ~]# ps aux | grep httpd
root      1998  0.0  0.1 106376  1660 ttyS0    S    10:32   0:00 /bin/sh /sbin/service httpd start
root      2005  0.0  0.1 108484  1796 ttyS0    S    10:32   0:00 /bin/bash /etc/init.d/httpd start
root      2012  0.0  0.1  11348  1192 ttyS0    S    10:32   0:00 /bin/bash -c ulimit -S -c 0 >/dev/null 2>&1 ; /usr/sbin/httpd
root      2013  0.2  0.6 162392  6372 ttyS0    S    10:32   0:00 /usr/sbin/httpd
root      2015  0.0  0.0 103320   840 ttyS0    S+   10:32   0:00 grep httpd

[root@localhost ~]# pstack 2013
#0  0x00007fa59c0fd334 in __lll_lock_wait () from /lib64/libpthread.so.0
#1  0x00007fa59c0f85d8 in _L_lock_854 () from /lib64/libpthread.so.0
#2  0x00007fa59c0f84a7 in pthread_mutex_lock () from /lib64/libpthread.so.0
#3  0x00007fa594ebc03e in fips_drbg_status () from /opt/rh/jbcs-httpd24/root/usr/lib64/libcrypto.so.10
#4  0x00007fa594e3f259 in drbg_rand_add () from /opt/rh/jbcs-httpd24/root/usr/lib64/libcrypto.so.10
#5  0x00007fa594e3fd67 in RAND_poll () from /opt/rh/jbcs-httpd24/root/usr/lib64/libcrypto.so.10
#6  0x00007fa594e3e93a in ssleay_rand_bytes () from /opt/rh/jbcs-httpd24/root/usr/lib64/libcrypto.so.10
#7  0x00007fa594e3f403 in drbg_get_entropy () from /opt/rh/jbcs-httpd24/root/usr/lib64/libcrypto.so.10
#8  0x00007fa594ebb53c in fips_get_entropy () from /opt/rh/jbcs-httpd24/root/usr/lib64/libcrypto.so.10
#9  0x00007fa594ebba12 in drbg_reseed () from /opt/rh/jbcs-httpd24/root/usr/lib64/libcrypto.so.10
#10 0x00007fa594e3f319 in drbg_rand_seed () from /opt/rh/jbcs-httpd24/root/usr/lib64/libcrypto.so.10
#11 0x00007fa5953f8544 in ssl_rand_feedfp () from /etc/httpd/modules/mod_ssl.so
#12 0x00007fa5953f8847 in ssl_rand_seed () from /etc/httpd/modules/mod_ssl.so
#13 0x00007fa5953f0ca2 in ssl_init_Module () from /etc/httpd/modules/mod_ssl.so
#14 0x00007fa59d84e469 in ap_run_post_config ()
#15 0x00007fa59d839b48 in main ()


Actual results: httpd stalls on startup


Expected results: httpd starts


Additional info:
Similar issue was reported for RHEL 6's openssl:

https://bugzilla.redhat.com/show_bug.cgi?id=999852
https://access.redhat.com/solutions/1201563
Comment 6 Jean-frederic Clere 2016-10-19 09:45:10 UTC 
JWS-3.1,  JBCS-httpd2.4.23 and EWS-2.1.2 are using upstream openssl-1.0.2h and FIPS isn't supported here :-(
Note You need to log in before you can comment on or make changes to this bug.