[openssl-users] error: FIPS routines:fips_pkey_signature_test:test failure:fips_post.c
deff
deff80 at yahoo.com
Wed Aug 31 18:51:43 UTC 2016
I'm getting strange ssl errors on a server
140405310092952:error:2D079089:FIPS
routines:fips_pkey_signature_test:test failure:fips_post.c:166:
140405310092952:error:2D06A07F:FIPS routines:FIPS_CHECK_EC:pairwise
test failed:ec_key.c:249:
140405310092952:error:1409802B:SSL
routines:ssl3_send_client_key_exchange:reason(43):s3_clnt.c:2869:
What could be wrong?
It's a VM inside OpenStack, on Xeon.
OS:
Ubuntu 16.04 cloud image from 30-Aug-2016, apt-get upgraded
uname -a:
Linux host 4.4.0-36-generic #55-Ubuntu SMP Thu Aug 11 18:01:55 UTC
2016 x86_64 x86_64 x86_64 GNU/Linux
openssl version:
OpenSSL 1.0.2g-fips 1 Mar 2016
If I try it in a different VM, same OS, same packages, but different
hardware (i7, VMWare Workstation) openssl connections work as expected.
Shorter output follows, output with -debug -msg -state is at
http://pastebin.com/ELRPqSe7
# openssl s_client -connect getcomposer.org:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = CH, ST = Z\C3\BCrich, L = Z\C3\BCrich, O = Nelmio AG, CN =
getcomposer.org
verify return:1
140405310092952:error:2D079089:FIPS
routines:fips_pkey_signature_test:test failure:fips_post.c:166:
140405310092952:error:2D06A07F:FIPS routines:FIPS_CHECK_EC:pairwise test
failed:ec_key.c:249:
140405310092952:error:1409802B:SSL
routines:ssl3_send_client_key_exchange:reason(43):s3_clnt.c:2869:
---
Certificate chain
0 s:/C=CH/ST=Z\xC3\xBCrich/L=Z\xC3\xBCrich/O=Nelmio AG/CN=getcomposer.org
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFGTCCBAGgAwIBAgIQA/CSzSaY2b4dUqeC6GV40DANBgkqhkiG9w0BAQsFADBN
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMScwJQYDVQQDEx5E
aWdpQ2VydCBTSEEyIFNlY3VyZSBTZXJ2ZXIgQ0EwHhcNMTQwNjMwMDAwMDAwWhcN
MTcwODAxMTIwMDAwWjBfMQswCQYDVQQGEwJDSDEQMA4GA1UECAwHWsO8cmljaDEQ
MA4GA1UEBwwHWsO8cmljaDESMBAGA1UEChMJTmVsbWlvIEFHMRgwFgYDVQQDEw9n
ZXRjb21wb3Nlci5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDY
/rinDi/amwLzf4Nc6vaWfRgRV4UMstDp0aPpF9ZJVApUzks6adk4i/1GbgusjQ8j
xuCpUih7FQdM0H/rwGAB1ydvMzvvQBa18DU3/2FNdEcQwJnK3VE/xV4OCKIS7xFa
LQm/W0jhkY3k++a68aGB/T3/mPxkQMxFNVFKwRRlS+GeKVIavfYkJZrfWobztVjb
bMFsxaIqHBCb7Jo0pGAbYoaedWncuUYDNIaez04ejIataxW5rwBapsKBRtRe92bn
sbU40IxrJ9R9amksYayJLYNhG/V8PIkQiibMrP4KVZH2XVZOMCpkrJFyW9l4Y2rm
aB89RzCU3a0yRu3NCv2fAgMBAAGjggHhMIIB3TAfBgNVHSMEGDAWgBQPgGEcgjFh
1S8o541GOLQs4cbZ4jAdBgNVHQ4EFgQUm5Dn9S1j0h3hvmp9dp3CIY9UpSowLwYD
VR0RBCgwJoIPZ2V0Y29tcG9zZXIub3JnghN3d3cuZ2V0Y29tcG9zZXIub3JnMA4G
A1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwawYD
VR0fBGQwYjAvoC2gK4YpaHR0cDovL2NybDMuZGlnaWNlcnQuY29tL3NzY2Etc2hh
Mi1nMi5jcmwwL6AtoCuGKWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLXNo
YTItZzIuY3JsMEIGA1UdIAQ7MDkwNwYJYIZIAYb9bAEBMCowKAYIKwYBBQUHAgEW
HGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNvbS9DUFMwfAYIKwYBBQUHAQEEcDBuMCQG
CCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRgYIKwYBBQUHMAKG
Omh0dHA6Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydFNIQTJTZWN1cmVT
ZXJ2ZXJDQS5jcnQwDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQsFAAOCAQEAZ07d
PUGJmdueSrFMytwKiHB92OxqNRDtiGseYWidWIYuF9Uegj/oq8lZWdTyZuOl0fGG
z7eqNJQlNQ0Nee2bX0bBz3777HReracJ+p+0GeJlF0eXDpSLjh+8n6u/CsRJ/kmQ
9Q5bAS/YIk+P/gXgG9Mf3YjlhmglyFxxWtY66ivj4KpoggkitmEz6k6gEBnRMHYA
JuOeVeOQxXBFt5h1fOIrQP7mqfZ/1LADDVwxoepjczWplc+S2Q9Ciij/QoqPyGbK
ASMziu/XDQWm0+3HCZr5HbVGWybk4DaaCbWrYfQED3yFkOi54YNLBrVLHyUft77R
qL7FH5cFtqPuT+BqEg==
-----END CERTIFICATE-----
subject=/C=CH/ST=Z\xC3\xBCrich/L=Z\xC3\xBCrich/O=Nelmio
AG/CN=getcomposer.org
issuer=/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2921 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1472668388
Timeout : 300 (sec)
Verify return code: 0 (ok)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160831/aefaac07/attachment.html>
More information about the openssl-users
mailing list