Red Hat Bugzilla – Bug 773473
[RHEL 5.7] Apache HTTP Server cannot start with mod_ssl when FIPS 140-2 mode enabled
Last modified: 2013-01-08 00:04:03 EST
Description of problem: When running RHEL 5.7 x86_64 with FIPS 140-2 mode enabled, Apache HTTP Server fails to start if mod_ssl is enabled. Version-Release number of selected component (if applicable): httpd-2.2.3-53.el5_7.3.x86_64.rpm mod_ssl-2.2.3-53.el5_7.3.x86_64.rpm How reproducible: Consistently reproduced Steps to Reproduce: 1.Install httpd and mod_ssl via "yum install httpd mod_ssl" 2.Complete the steps described to place RHEL 5 in FIPS mode (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1320.pdf) 3.Restart the system 4.Start the httpd service via "/sbin/service httpd start" Actual results httpd fails to start, indicating only "Failure" from the start script. Expected results: httpd starts successfully Additional info: The error appears to be caused by the httpd and mod_ssl packages being out of synch with the upstream Apache HTTP Server project. FIPS 140-2 support was added to mod_ssl in Apache 2.2.x with revision 963430 (http://svn.apache.org/viewvc?view=revision&revision=963430), and released as part of Apache HTTP Server 2.2.17. The changes provided by this revision have not been migrated into the RHEL 5.7 httpd SRPM. The following is a brief description of the troubleshooting process that led to the conclusion above. After httpd fails to start, the /var/log/httpd/error_log indicates the following information: Init: Failed to generate temporary 512 bit RSA private key Configuration failed Attempted applying fixes for this error message documented on the internet, but those did not resolve the issue. Attempted to create a 512 bit RSA key independant of mod_ssl to see if error originated from OpenSSL. The "openssl genrsa 512" command failed with the error "FIPS routines:RSA_BUILTIN_KEYGEN:key too short". Reviewed the httpd SRPM, found the source for the error message above in modules/ssl/ssl_engine_init.c. Observed this code attempts to create a 512 bit RSA key using OpenSSL, and if that creation fails Apache HTTP Server startup fails. Reviewed upstream Apache project SVN versions of ssl_engine_init.c, and found that the upstream version included a flag to indicate FIPS mode. When enabled, ssl_engine_init.c skips creating any RSA or DH keys smaller than 1024 in accordance with the FIPS 140-2 mode. Tracked origin of this change to revision 963430, first released as part of Apache HTTP Server 2.2.17.
Thanks for the report.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2013-0130.html