intermittent Apache/OpenSSL error hangs server

Jerry Blasdel jblaz2019 at gmail.com
Thu Jan 9 16:42:47 UTC 2020


Here is more information.  On the server that is having this issue, prior
to the FIPS_drbg_generate errors (these show up every time that worker pid
is selected to serve a request) we have a single OpenSSL error that shows
up in the logs.

SSL Library Error: error:2D06A07F: FIPS routines: FIPS_CHECK_EC:pairwise
test failed

Once we get that error, every time we try to serve a request in Apache
using that pid, it errors out.  So, it seems like something randomly
corrupts that PID.  Can someone provide some information about
FIPS_CHECK_EC: pairwise test failed.

Thanks

On Tue, Jan 7, 2020 at 7:21 AM Jerry Blasdel <jblaz2019 at gmail.com> wrote:

> I have several servers configured the same, running Apache
> 2.4X/OpenSSL1.02 fips-enabled.
>
> On one server we periodically get the following errors in the Apache logs:
>
> SSL Library Error: error:xxxxxx:FIPS_drbg_generate:selftest failed.  In
> some cases, the server continues to service requests, but in other cases
> the server hangs and will not process requests until the worker pid
> receiving the error is killed, or a kill -HUP is issues on the Apache root
> pid.
>
> I see someone else had a similar issue but I can't find any resolution.
>
> https://mta.openssl.org/pipermail/openssl-users/2016-October/004657.html
>
> Other information...
>
> We have looked at the entropy on the server when it is working properly vs
> when it hangs and could not find any big differences.
>
> Also, SSLRandomSeed is configured for startup and connect in Apache.
>
> Any help would be appreciated.
>
> Thanks
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200109/1a43b924/attachment.html>


More information about the openssl-users mailing list