<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<font face="Helvetica, Arial, sans-serif">I'm getting strange ssl
errors on a server<br>
</font><br>
<font face="Helvetica, Arial, sans-serif"><font face="Helvetica,
Arial, sans-serif"> 140405310092952:error:2D079089:FIPS
routines:fips_pkey_signature_test:test failure:fips_post.c:166:<br>
140405310092952:error:2D06A07F:FIPS
routines:FIPS_CHECK_EC:pairwise test failed:ec_key.c:249:<br>
140405310092952:error:1409802B:SSL
routines:ssl3_send_client_key_exchange:reason(43):s3_clnt.c:2869:<br>
</font><br>
What could be wrong?<br>
</font><font face="Helvetica, Arial, sans-serif"><font
face="Helvetica, Arial, sans-serif"><br>
It's a VM inside OpenStack, on Xeon.<br>
</font>OS:<br>
Ubuntu 16.04 cloud image from 30-Aug-2016, apt-get upgraded<br>
uname -a: <br>
Linux host 4.4.0-36-generic #55-Ubuntu SMP Thu Aug 11 18:01:55
UTC 2016 x86_64 x86_64 x86_64 GNU/Linux<br>
openssl version:<br>
OpenSSL 1.0.2g-fips 1 Mar 2016<br>
<br>
If I try it in a different VM, same OS, same packages, but
different hardware (i7, VMWare Workstation) openssl connections
work as expected.<br>
<br>
Shorter output follows, output with </font><font face="Helvetica,
Arial, sans-serif"><font face="Helvetica, Arial, sans-serif">-debug
-msg -state </font>is at <a class="moz-txt-link-freetext" href="http://pastebin.com/ELRPqSe7">http://pastebin.com/ELRPqSe7</a><br>
<br>
# openssl s_client -connect getcomposer.org:443<br>
CONNECTED(00000003)<br>
depth=2 C = US, O = DigiCert Inc, OU = <a class="moz-txt-link-abbreviated" href="http://www.digicert.com">www.digicert.com</a>, CN =
DigiCert Global Root CA<br>
verify return:1<br>
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server
CA<br>
verify return:1<br>
depth=0 C = CH, ST = Z\C3\BCrich, L = Z\C3\BCrich, O = Nelmio AG,
CN = getcomposer.org<br>
verify return:1<br>
140405310092952:error:2D079089:FIPS
routines:fips_pkey_signature_test:test failure:fips_post.c:166:<br>
140405310092952:error:2D06A07F:FIPS
routines:FIPS_CHECK_EC:pairwise test failed:ec_key.c:249:<br>
140405310092952:error:1409802B:SSL
routines:ssl3_send_client_key_exchange:reason(43):s3_clnt.c:2869:<br>
---<br>
Certificate chain<br>
0 s:/C=CH/ST=Z\xC3\xBCrich/L=Z\xC3\xBCrich/O=Nelmio
AG/CN=getcomposer.org<br>
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA<br>
1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA<br>
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global
Root CA<br>
---<br>
Server certificate<br>
-----BEGIN CERTIFICATE-----<br>
MIIFGTCCBAGgAwIBAgIQA/CSzSaY2b4dUqeC6GV40DANBgkqhkiG9w0BAQsFADBN<br>
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E<br>
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTQwNjMwMDAwMDAwWhcN<br>
MTcwODAxMTIwMDAwWjBfMQswCQYDVQQGEwJDSDEQMA4GA1UECAwHWsO8cmljaDEQ<br>
MA4GA1UEBwwHWsO8cmljaDESMBAGA1UEChMJTmVsbWlvIEFHMRgwFgYDVQQDEw9n<br>
ZXRjb21wb3Nlci5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDY<br>
/rinDi/amwLzf4Nc6vaWfRgRV4UMstDp0aPpF9ZJVApUzks6adk4i/1GbgusjQ8j<br>
xuCpUih7FQdM0H/rwGAB1ydvMzvvQBa18DU3/2FNdEcQwJnK3VE/xV4OCKIS7xFa<br>
LQm/W0jhkY3k++a68aGB/T3/mPxkQMxFNVFKwRRlS+GeKVIavfYkJZrfWobztVjb<br>
bMFsxaIqHBCb7Jo0pGAbYoaedWncuUYDNIaez04ejIataxW5rwBapsKBRtRe92bn<br>
sbU40IxrJ9R9amksYayJLYNhG/V8PIkQiibMrP4KVZH2XVZOMCpkrJFyW9l4Y2rm<br>
aB89RzCU3a0yRu3NCv2fAgMBAAGjggHhMIIB3TAfBgNVHSMEGDAWgBQPgGEcgjFh<br>
1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUm5Dn9S1j0h3hvmp9dp3CIY9UpSowLwYD<br>
VR0RBCgwJoIPZ2V0Y29tcG9zZXIub3JnghN3d3cuZ2V0Y29tcG9zZXIub3JnMA4G<br>
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYD<br>
VR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Etc2hh<br>
Mi1nMi5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLXNo<br>
YTItZzIuY3JsMEIGA1UdIAQ7MDkwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEW<br>
HGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwfAYIKwYBBQUHAQEEcDBuMCQG<br>
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYBBQUHMAKG<br>
Omh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVT<br>
ZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAZ07d<br>
PUGJmdueSrFMytwKiHB92OxqNRDtiGseYWidWIYuF9Uegj/oq8lZWdTyZuOl0fGG<br>
z7eqNJQlNQ0Nee2bX0bBz3777HReracJ+p+0GeJlF0eXDpSLjh+8n6u/CsRJ/kmQ<br>
9Q5bAS/YIk+P/gXgG9Mf3YjlhmglyFxxWtY66ivj4KpoggkitmEz6k6gEBnRMHYA<br>
JuOeVeOQxXBFt5h1fOIrQP7mqfZ/1LADDVwxoepjczWplc+S2Q9Ciij/QoqPyGbK<br>
ASMziu/XDQWm0+3HCZr5HbVGWybk4DaaCbWrYfQED3yFkOi54YNLBrVLHyUft77R<br>
qL7FH5cFtqPuT+BqEg==<br>
-----END CERTIFICATE-----<br>
subject=/C=CH/ST=Z\xC3\xBCrich/L=Z\xC3\xBCrich/O=Nelmio
AG/CN=getcomposer.org<br>
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA<br>
---<br>
No client certificate CA names sent<br>
Peer signing digest: SHA512<br>
Server Temp Key: ECDH, P-256, 256 bits<br>
---<br>
SSL handshake has read 2921 bytes and written 0 bytes<br>
---<br>
New, (NONE), Cipher is (NONE)<br>
Server public key is 2048 bit<br>
Secure Renegotiation IS supported<br>
Compression: NONE<br>
Expansion: NONE<br>
No ALPN negotiated<br>
SSL-Session:<br>
Protocol : TLSv1.2<br>
Cipher : 0000<br>
Session-ID:<br>
Session-ID-ctx:<br>
Master-Key:<br>
Key-Arg : None<br>
PSK identity: None<br>
PSK identity hint: None<br>
SRP username: None<br>
Start Time: 1472668388<br>
Timeout : 300 (sec)<br>
Verify return code: 0 (ok)</font>
</body>
</html>