Bug 53166 - FIPS Mode temporary key generation error
Summary: FIPS Mode temporary key generation error
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.2.22
Hardware: PC FreeBSD
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk
Depends on:
Blocks:
 
Reported: 2012-04-30 19:26 UTC by Ken Papagno
Modified: 2013-06-01 07:36 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ken Papagno 2012-04-30 19:26:56 UTC
When operating in fips mode (SSLFIPS on) the httpd-error-log contains two entries that are stated as errors.

[Mon Apr 30 18:23:57 2012] [notice] Operating in SSL FIPS mode
[Mon Apr 30 18:23:57 2012] [error] Init: Skipping generating temporary 512 bit RSA private key in FIPS mode
[Mon Apr 30 18:23:57 2012] [error] Init: Skipping generating temporary 512 bit DH parameters in FIPS mode

Examining the code in modules/ssl/ssl_engine_init.c where the message is generated shows the error being generated
    if (FIPS_mode() && bits < 1024) {
        mc->pTmpKeys[idx] = NULL;
        ap_log_error(APLOG_MARK, APLOG_ERR, 0, s,
                     "Init: Skipping generating temporary "
                     "%d bit RSA private key in FIPS mode", bits);
        return OK;
    }

The message is marked as an error (APLOG_ERR), however the function returns with an OK.  If the bits < 1024 is truely a FIPS error than the function should return !OK.  

If the bits < 1024 is OK, and this is not an error than the log message should not be flagged with the APLOG_ERR, and should be flagged with NOTICE or similar.
Comment 1 Christophe JAILLET 2013-06-01 07:36:07 UTC
r1447993 has turned it to DEBUG on trunk.

It has been backported to 2.4.x in r1465989
Will be part of 2.4.5.