httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ja...@nixsecurity.org
Subject Re: Re: [users@httpd] Apache 2.2.16
Date Fri, 06 Aug 2010 15:30:31 GMT
For Apache 2.2.15, I've used the two different versions of OpenSSL 0.9.8n/0.9.8o, the latter
version of OpenSSL was used ever since it was released and I had no issues. I've used different
versions of OpenSSL (when they became available) with different versions of Apache, still
never encountered any of these issues before.

Your suggestion was my next step, just wanted to see if anyone has experienced these issues.

Thanks for the quick response!

James


>---- Original Message ----
>From: Jeff Trawick <trawick@gmail.com>
>To: users@httpd.apache.org
>Sent: Fri, Aug 6, 2010, 11:18 AM
>Subject: Re: [users@httpd] Apache 2.2.16
>
>On Fri, Aug 6, 2010 at 10:57 AM,  <james@nixsecurity.org> wrote:
>>
>> Hello,
>>
>> I've recently upgraded to 2.2.16 and am encountering some issues. I've noticed the
addition of SSLFIPS, however, I did not see any mention of this in the release notes. I did,
however, see mention of it in the release notes for 2.3.6, interesting. I've compiled against
OpenSSL 0.9.8o-fips (FIPS 1.2 module from openssl.org).
>>
>> I have a web application that uses OpenLDAP and SSH to add/check resources, such
as users. Going through HTTPS and testing the LDAP server configuration (manually entered
settings) to verify that I can communicate with the server properly, the Apache child process
segfaults. The OpenLDAP version is 2.4.23.
>>
>> [Fri Aug 06 09:17:54 2010] [notice] child pid 15419 exit signal Segmentation fault
(11)
>>
>> Has anyone encountered this issue before?
>>
>> My other issue is when adding an user over HTTPS and having PHP exec() the system's
ssh command to connect to the remote machine and perform a few minor operations. The error
message I am getting is:
>>
>> digest.c(151): OpenSSL internal error, assertion failed: Digest update previous FIPS
forbidden algorithm error ignored
>> [Fri Aug 06 09:32:27 2010] [notice] child pid 29661 exit signal Aborted (6)
>>
>> After researching that error message a bit, it appears to be caused by an MD5 checksum
and MD5 is one of the forbidden algorithms in FIPS.
>>
>> The above mentioned functionality worked flawlessly in 2.2.15 and below.
>
>Did you use the same OpenSSL build with 2.2.15 and below?
>
>My suggestion:
>
>Find out what symptoms are specific to the use of FIPS-enabled OpenSSL
>Get backtraces for any crashes (SIGSEGV, SIGABRT) you're seeing
>Open bugs with the appropriate component(s) -- httpd, PHP, apr,
>OpenLDAP, etc. -- depending on what code crashes or is implicated in
>misusing some other component.
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message