Bug 60943 - mod_ssl enables all of OpenSSL's built-in engines, even when in FIPS mode.
Summary: mod_ssl enables all of OpenSSL's built-in engines, even when in FIPS mode.
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.25
Hardware: PC FreeBSD
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2017-03-30 18:27 UTC by stephen_wall
Modified: 2017-03-30 18:27 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description stephen_wall 2017-03-30 18:27:07 UTC
FreeBSD (and OpenBSD) provide(s) a crypto accelerator device, /dev/crypto, for which OpenSSL builds a built-in engine.

Apache's mod_ssl calls ENGINE_load_builtin_engines() as part of its startup, resulting in that engine being active. For RSA operations, that engine calls some OpenSSL internal RSA functions.  Those functions are not the FIPS certified ones, resulting in a failure if FIPS has been enabled.  This means Apache will reject all connections until it is reconfigured, either without FIPS enabled, or with an EC certificate.

While I believe that the OpenSSL cryptodev engine should not be calling those functions, I don't think mod_ssl should be arbitrarily enabling all the built-in engines, even when FIPS mode has been turned on, since it has no knowledge of whether those engines are FIPS certified.  Either don't call ENGINE_load_builtin_engines() when in FIPS mode, or add a configuration option that allows users to choose for themselves whether or not ENGINE_load_builtin_engines() is called.