FIPS Fails due to Fingerprint Error while running for a App

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

FIPS Fails due to Fingerprint Error while running for a App

ALe TAHIR

Hi Experts,


Looking for some assistance. I’ve compiled one of the App in FIPs mode and while running the App. I’m getting fingerprint mismatch error. I’ve followed the standard procedure to build a FIPS module using OpenSSL UserGuide 2.0. But not sure what part is missing.

:~$ openssl version
OpenSSL 1.0.2q-fips 20 Nov 2018


:~$  (App version check Output)


error initializing FIPS mode
0:error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:232:



I followed the standard procedure to build the FIPS module. If I try running Openssl commands via FIPS enabled it didn’t give me any errors:

root@haproxyOpenSSLFIPS-02:/home/ubuntu# OPENSSL_FIPS=1 openssl md5 xyz.txt
Error setting digest md5
140197799200408:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:


But if I try via app it initialize to fail due to fingerprint error:
I compiled the app build via following make command:

make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 SSL_INC=/usr/local/ssl/include SSL_LIB=/usr/local/ssl/lib/

Where as FIPS module path is: /usr/local/ssl/fips-2.0

I’m thinking may be issue is at the path end while using make for haproxy (as above ^) but not sure.

Here is ldd haproxy result:

root@haproxyOpenSSLFIPS-02:/home/ubuntu/haproxy-1.9.2# ldd haproxy
linux-vdso.so.1 => (0x00007ffcd331c000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fa12fef2000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fa12fcd8000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fa12fabb000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fa12f8b3000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fa12f6af000)
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fa12f43f000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa12f075000)
/lib64/ld-linux-x86-64.so.2 (0x00007fa13012a000)



--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users