intermittent Apache/OpenSSL error hangs server

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

intermittent Apache/OpenSSL error hangs server

Jerry Blasdel-2
I have several servers configured the same, running Apache 2.4X/OpenSSL1.02 fips-enabled.

On one server we periodically get the following errors in the Apache logs:

SSL Library Error: error:xxxxxx:FIPS_drbg_generate:selftest failed.  In some cases, the server continues to service requests, but in other cases the server hangs and will not process requests until the worker pid receiving the error is killed, or a kill -HUP is issues on the Apache root pid.

I see someone else had a similar issue but I can't find any resolution.


Other information...

We have looked at the entropy on the server when it is working properly vs when it hangs and could not find any big differences.

Also, SSLRandomSeed is configured for startup and connect in Apache.

Any help would be appreciated.

Thanks
Reply | Threaded
Open this post in threaded view
|

Re: intermittent Apache/OpenSSL error hangs server

Jerry Blasdel-2
Here is more information.  On the server that is having this issue, prior to the FIPS_drbg_generate errors (these show up every time that worker pid is selected to serve a request) we have a single OpenSSL error that shows up in the logs.

SSL Library Error: error:2D06A07F: FIPS routines: FIPS_CHECK_EC:pairwise test failed

Once we get that error, every time we try to serve a request in Apache using that pid, it errors out.  So, it seems like something randomly corrupts that PID.  Can someone provide some information about FIPS_CHECK_EC: pairwise test failed.

Thanks

On Tue, Jan 7, 2020 at 7:21 AM Jerry Blasdel <[hidden email]> wrote:
I have several servers configured the same, running Apache 2.4X/OpenSSL1.02 fips-enabled.

On one server we periodically get the following errors in the Apache logs:

SSL Library Error: error:xxxxxx:FIPS_drbg_generate:selftest failed.  In some cases, the server continues to service requests, but in other cases the server hangs and will not process requests until the worker pid receiving the error is killed, or a kill -HUP is issues on the Apache root pid.

I see someone else had a similar issue but I can't find any resolution.


Other information...

We have looked at the entropy on the server when it is working properly vs when it hangs and could not find any big differences.

Also, SSLRandomSeed is configured for startup and connect in Apache.

Any help would be appreciated.

Thanks
Reply | Threaded
Open this post in threaded view
|

Re: intermittent Apache/OpenSSL error hangs server

OpenSSL - User mailing list

>Once we get that error, every time we try to serve a request in Apache using that pid, it errors out.  So, it seems like something randomly corrupts that PID.  Can someone provide some information about FIPS_CHECK_EC: pairwise test failed.

 

Once FIPS detects an error, it will stay stuck in error-state until you re-initialize.  Sorry, can’t provide more details about the specific test that’s failing.

Reply | Threaded
Open this post in threaded view
|

Re: intermittent Apache/OpenSSL error hangs server

Hubert Kario
In reply to this post by Jerry Blasdel-2
On Thursday, 9 January 2020 17:42:47 CET, Jerry Blasdel wrote:

> Here is more information.  On the server that is having this issue, prior
> to the FIPS_drbg_generate errors (these show up every time that worker pid
> is selected to serve a request) we have a single OpenSSL error that shows
> up in the logs.
>
> SSL Library Error: error:2D06A07F: FIPS routines: FIPS_CHECK_EC:pairwise
> test failed
>
> Once we get that error, every time we try to serve a request in Apache
> using that pid, it errors out.  So, it seems like something randomly
> corrupts that PID.  Can someone provide some information about
> FIPS_CHECK_EC: pairwise test failed.

I would try to eliminate hardware issue as a possible cause: run memcheck,
cpu
stress tests, etc.

> Thanks
>
> On Tue, Jan 7, 2020 at 7:21 AM Jerry Blasdel <[hidden email]> wrote:
>
>> I have several servers configured the same, running Apache
>> 2.4X/OpenSSL1.02 fips-enabled.
>>
>> On one server we periodically get the following errors in the Apache logs:
>>
>> SSL Library Error: error:xxxxxx:FIPS_drbg_generate:selftest failed.  In
>> some cases, the server continues to service requests, but in
>> other cases ...
>
>

--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic