[openssl-users] FIPS Fails due to Fingerprint Error while running for a App

ALe TAHIR ali.tahir at live.com
Wed Feb 13 10:52:15 UTC 2019

Hi Experts,

Looking for some assistance. I’ve compiled one of the App in FIPs mode and while running the App. I’m getting fingerprint mismatch error. I’ve followed the standard procedure to build a FIPS module using OpenSSL UserGuide 2.0. But not sure what part is missing.

:~$ openssl version
OpenSSL 1.0.2q-fips 20 Nov 2018

:~$  (App version check Output)

error initializing FIPS mode
0:error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:232:

I followed the standard procedure to build the FIPS module. If I try running Openssl commands via FIPS enabled it didn’t give me any errors:

root at haproxyOpenSSLFIPS-02:/home/ubuntu# OPENSSL_FIPS=1 openssl md5 xyz.txt
Error setting digest md5
140197799200408:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:

But if I try via app it initialize to fail due to fingerprint error:
I compiled the app build via following make command:

make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 SSL_INC=/usr/local/ssl/include SSL_LIB=/usr/local/ssl/lib/

Where as FIPS module path is: /usr/local/ssl/fips-2.0

I’m thinking may be issue is at the path end while using make for haproxy (as above ^) but not sure.

Here is ldd haproxy result:

root at haproxyOpenSSLFIPS-02:/home/ubuntu/haproxy-1.9.2# ldd haproxy
linux-vdso.so.1 => (0x00007ffcd331c000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fa12fef2000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fa12fcd8000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fa12fabb000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fa12f8b3000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fa12f6af000)
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fa12f43f000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa12f075000)
/lib64/ld-linux-x86-64.so.2 (0x00007fa13012a000)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190213/1478c7f0/attachment.html>

More information about the openssl-users mailing list