Bug #81347 for Net-SSLeay: Tests do not pass when OpenSSL runs in FIPS mode

Thu Nov 22 10:58:39 2012 ppisar [...] redhat.com - Ticket created

Subject:

Tests do not pass when OpenSSL runs in FIPS mode

If OpenSSL is switched into FIPS mode, some tests do not pass. That's because testing data use weak algorithms not available in FIPS mode. E.g. t/data/key.pem.e is encrypted using DES but DES as well as MD5 is not available in FIPS mode. It would be great to upgrade all the tests to use stronger encryption. It would be much better to perform tests on the weakly and strongly encrypted data and to make tests tolerant to unavailable algorithms. (If I'm correct, current Net::SSLeay cannot parse OpenSSL error code to retrieve failure reason, ERR_GET_REASON(3).)

Thu Nov 22 17:08:43 2012 mikem [...] open.com.au - Correspondence added

Subject:	Re: [rt.cpan.org #81347] Tests do not pass when OpenSSL runs in FIPS mode
Date:	Fri, 23 Nov 2012 08:08:19 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] open.com.au>

Hello Petr. can you indicate how to reproduce the problem you are reporting? Cheers. On Thursday, November 22, 2012 10:58:40 AM you wrote: Show quoted text

> Thu Nov 22 10:58:39 2012: Request 81347 was acted upon. > Transaction: Ticket created by ppisar > Queue: Net-SSLeay > Subject: Tests do not pass when OpenSSL runs in FIPS mode > Broken in: 1.49 > Severity: (no value) > Owner: Nobody > Requestors: ppisar@redhat.com > Status: new > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=81347 > > > > If OpenSSL is switched into FIPS mode, some tests do not pass. That's > because testing data use weak algorithms not available in FIPS mode. > E.g. t/data/key.pem.e is encrypted using DES but DES as well as MD5 is > not available in FIPS mode. > > It would be great to upgrade all the tests to use stronger encryption. > > It would be much better to perform tests on the weakly and strongly > encrypted data and to make tests tolerant to unavailable algorithms. (If > I'm correct, current Net::SSLeay cannot parse OpenSSL error code to > retrieve failure reason, ERR_GET_REASON(3).)

-- Mike McCauley mikem@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

Thu Nov 22 17:08:45 2012 The RT System itself - Status changed from 'new' to 'open'

Fri Nov 23 09:38:28 2012 ppisar [...] redhat.com - Correspondence added

Subject:	Re: [rt.cpan.org #81347] Tests do not pass when OpenSSL runs in FIPS mode
Date:	Fri, 23 Nov 2012 15:38:06 +0100
To:	"mikem [...] open.com.au via RT" <bug-Net-SSLeay [...] rt.cpan.org>
From:	Petr Pisar <ppisar [...] redhat.com>

On Thu, Nov 22, 2012 at 05:08:45PM -0500, mikem@open.com.au via RT wrote: Show quoted text

> Hello Petr. > > can you indicate how to reproduce the problem you are reporting? >

Read <http://openssl.org/docs/fips/UserGuide-2.0.pdf>. You can call FIPS_mode_set(1) in your application, or put fips_mode=yes into alg_section in OpenSSL configuration file, or export OPENSSL_FIPS environment variable. Of course your OpenSSL must be compiled with enabled FIPS. Example: $ OPENSSL_FIPS=1 openssl rsa -passin pass:secret < t/data/key.pem.e unable to load Private Key 140631549605728:error:0906B072:PEM routines:PEM_get_EVP_CIPHER_INFO:unsupported encryption:pem_lib.c:530: However this seems be not enough in Net-SSLeay case. OPENSSL_FIPS=1 perl t/local/05_passwd_cb.t does not fail. But If I enable FIPS on operating system level at boot time (special argument fips=1 for initramdisk created by dracut tool <http://linux.die.net/man/8/dracut>), Linux reports 1 in /proc/sys/crypto/fips_enabled and Net-SSL test fails too. I will investigate more what's the difference. Probably OpenSSL delegates some algorithms to kernel implementation which gets disables in FIPS mode. This way Net-SSLeay fails even without calling FIPS_mode_set(). -- Petr

Download (untitled)
application/pgp-signature 230b

Message body not shown because it is not plain text.

Wed Nov 28 08:12:42 2012 ppisar [...] redhat.com - Correspondence added

Subject:	Re: [rt.cpan.org #81347] Tests do not pass when OpenSSL runs in FIPS mode
Date:	Wed, 28 Nov 2012 13:30:02 +0100
To:	"mikem [...] open.com.au via RT" <bug-Net-SSLeay [...] rt.cpan.org>
From:	Petr Pisar <ppisar [...] redhat.com>

On Fri, Nov 23, 2012 at 03:38:06PM +0100, Petr Pisar wrote: Show quoted text

> > But If I enable FIPS on operating system level at boot time (special argument > fips=1 for initramdisk created by dracut tool > <http://linux.die.net/man/8/dracut>), Linux reports 1 in > /proc/sys/crypto/fips_enabled and Net-SSL test fails too. > > I will investigate more what's the difference. Probably OpenSSL delegates some > algorithms to kernel implementation which gets disables in FIPS mode. This way > Net-SSLeay fails even without calling FIPS_mode_set(). >

OpenSSL library does not obey OPENSSL_FIPS. This variable is specific for openssl(1) tool only. Attached patch to Net-SSLeay-1.49 adds FIPS_mode_set() function to Net::SSLeay and enables FIPS mode for t/local/05_passwd_cb.t. You do not need any special Linux init ram disk or kernel. Just OpenSSL built with FIPS support. This way I can reproduce the failures: $ perl -I./blib/arch -I./blib/lib t/local/05_passwd_cb.t 1..13 FIPS enabled ok 1 - CTX_new ok 2 - CTX_new ok 3 - CTX_new not ok 4 - CTX_use_PrivateKey_file works with right passphrase and userdata # Failed test 'CTX_use_PrivateKey_file works with right passphrase and userdata' # at t/local/05_passwd_cb.t line 64. et cetera. -- Petr

Message body is not shown because sender requested not to inline it.

Download (untitled)
application/pgp-signature 230b

Message body not shown because it is not plain text.

Thu Nov 29 17:48:57 2012 mikem [...] open.com.au - Correspondence added

Subject:	Re: [rt.cpan.org #81347] Tests do not pass when OpenSSL runs in FIPS mode
Date:	Fri, 30 Nov 2012 08:48:37 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] open.com.au>

Hello, thanks for your note. I have now added support for SSL_FIPS_mode_set similar to your suggestion to Net-SSLeay in the SVN repository. However, I have difficulty with your report that changing the test suite causes the test suite to fail. I would suggest instead that you do not change the test suite. Cheers. On Wednesday, November 28, 2012 08:12:44 AM you wrote: Show quoted text

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=81347 > > > On Fri, Nov 23, 2012 at 03:38:06PM +0100, Petr Pisar wrote:

> > But If I enable FIPS on operating system level at boot time (special > > argument fips=1 for initramdisk created by dracut tool > > <http://linux.die.net/man/8/dracut>), Linux reports 1 in > > /proc/sys/crypto/fips_enabled and Net-SSL test fails too. > > > > I will investigate more what's the difference. Probably OpenSSL delegates > > some algorithms to kernel implementation which gets disables in FIPS > > mode. This way Net-SSLeay fails even without calling FIPS_mode_set().

> > OpenSSL library does not obey OPENSSL_FIPS. This variable is specific for > openssl(1) tool only. > > Attached patch to Net-SSLeay-1.49 adds FIPS_mode_set() function to > Net::SSLeay and enables FIPS mode for t/local/05_passwd_cb.t. You do not > need any special Linux init ram disk or kernel. Just OpenSSL built with > FIPS support. This way I can reproduce the failures: > > $ perl -I./blib/arch -I./blib/lib t/local/05_passwd_cb.t > 1..13 > FIPS enabled > ok 1 - CTX_new > ok 2 - CTX_new > ok 3 - CTX_new > not ok 4 - CTX_use_PrivateKey_file works with right passphrase and userdata > # Failed test 'CTX_use_PrivateKey_file works with right passphrase and > userdata' # at t/local/05_passwd_cb.t line 64. > > et cetera. > > -- Petr

-- Mike McCauley mikem@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

Fri Nov 30 03:08:42 2012 ppisar [...] redhat.com - Correspondence added

Subject:	Re: [rt.cpan.org #81347] Tests do not pass when OpenSSL runs in FIPS mode
Date:	Fri, 30 Nov 2012 09:08:26 +0100
To:	"mikem [...] open.com.au via RT" <bug-Net-SSLeay [...] rt.cpan.org>
From:	Petr Pisar <ppisar [...] redhat.com>

On Thu, Nov 29, 2012 at 05:48:59PM -0500, mikem@open.com.au via RT wrote: Show quoted text

> <URL: https://rt.cpan.org/Ticket/Display.html?id=81347 > > > I have now added support for SSL_FIPS_mode_set similar to your suggestion to > Net-SSLeay in the SVN repository. >

Great. Actually I have patched Net-SSLeay locally in similar way including adding FIPS_mode() which is to report if FIPS is enabled and adding a code into BOOT to call FIPS_mode_set(1) if OPENSSL_FIPS environment variable exists. Show quoted text

> However, I have difficulty with your report that changing the test suite > causes the test suite to fail. > > I would suggest instead that you do not change the test suite. >

This was just to demonstrate the problem and to allow you to reproduce the failure. Now I set FIPS automatically when loading Net-SSLeay, so I do not have to touch tests to get FIPS mode and failing tests. I'm now fixing tests to use stronger encryption and skip disabled cryptographics algorithms to pass with and without FIPS. Once I finishes it, I will send you my patches. -- Petr

Download (untitled)
application/pgp-signature 230b

Message body not shown because it is not plain text.

Fri Nov 30 03:16:55 2012 mikem [...] open.com.au - Correspondence added

Subject:	Re: [rt.cpan.org #81347] Tests do not pass when OpenSSL runs in FIPS mode
Date:	Fri, 30 Nov 2012 18:16:35 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] open.com.au>

Hello, On Friday, November 30, 2012 03:08:44 AM you wrote: Show quoted text

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=81347 > > > On Thu, Nov 29, 2012 at 05:48:59PM -0500, mikem@open.com.au via RT wrote:

> > <URL: https://rt.cpan.org/Ticket/Display.html?id=81347 > > > > > I have now added support for SSL_FIPS_mode_set similar to your suggestion > > to Net-SSLeay in the SVN repository.

> > Great. Actually I have patched Net-SSLeay locally in similar way including > adding FIPS_mode() which is to report if FIPS is enabled and adding a code > into BOOT to call FIPS_mode_set(1) if OPENSSL_FIPS environment variable > exists. >

> > However, I have difficulty with your report that changing the test suite > > causes the test suite to fail. > > > > I would suggest instead that you do not change the test suite.

> > This was just to demonstrate the problem and to allow you to reproduce the > failure. Now I set FIPS automatically when loading Net-SSLeay, so I do not > have to touch tests to get FIPS mode and failing tests. > > I'm now fixing tests to use stronger encryption and skip disabled > cryptographics algorithms to pass with and without FIPS. Once I finishes it, > I will send you my patches.

OK. Thanks. Cheers. Show quoted text

> > -- Petr

-- Mike McCauley mikem@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

Fri Nov 30 08:39:59 2012 ppisar [...] redhat.com - Correspondence added

Subject:	Re: [rt.cpan.org #81347] Tests do not pass when OpenSSL runs in FIPS mode
Date:	Fri, 30 Nov 2012 14:39:35 +0100
To:	Bugs in Net-SSLeay via RT <bug-Net-SSLeay [...] rt.cpan.org>
From:	Petr Pisar <ppisar [...] redhat.com>

On Thu, Nov 22, 2012 at 10:58:40AM -0500, Bugs in Net-SSLeay via RT wrote: Show quoted text

> If OpenSSL is switched into FIPS mode, some tests do not pass. That's > because testing data use weak algorithms not available in FIPS mode. > E.g. t/data/key.pem.e is encrypted using DES but DES as well as MD5 is > not available in FIPS mode. > > It would be great to upgrade all the tests to use stronger encryption. > > It would be much better to perform tests on the weakly and strongly > encrypted data and to make tests tolerant to unavailable algorithms. (If > I'm correct, current Net::SSLeay cannot parse OpenSSL error code to > retrieve failure reason, ERR_GET_REASON(3).)

Here is my patch set that adjusts tests to pass in FIPS mode. It's against Net-SSLeay-1.49 and the diff is in git format because of binary patches on PKCS#12 files (be ware patch from binutils does work on it correctly). Each patch touches one test for easier review. It passes on 1.0.1c. With enabled and with disabled FIPS mode. Some other OpenSSL versions can segfault in FIPS mode due to a bug in the OpenSSL. There is also an issue with listing available digest algorithms when the list obtained with P_EVP_MD_list_all() does not match list obtained with "openssl list-message-digest-algorithms". It's not fatal for Net-SSLeay, and I think it should be resolved in OpenSSL. The patches change tests only. If you would like to add FIPS_mode() or to add FIPS mode according to OPENSSL_FIPS variable, I can provide necessary changes too, but first I'd like to ask tou to provide me SVN repository URL because I could find ViewVCS web interface only which is not usable for cloning the repository. -- Petr

Message body is not shown because sender requested not to inline it.

Download (untitled)
application/pgp-signature 230b

Message body not shown because it is not plain text.

Fri Nov 30 08:44:38 2012 mikem [...] open.com.au - Correspondence added

Subject:	Re: [rt.cpan.org #81347] Tests do not pass when OpenSSL runs in FIPS mode
Date:	Fri, 30 Nov 2012 23:44:19 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] open.com.au>

Hello Petr, Will this patch work with all current and older versions of openssl, with or without FIPS mode compiled? Cheers. On Friday, November 30, 2012 08:40:01 AM you wrote: Show quoted text

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=81347 > > > On Thu, Nov 22, 2012 at 10:58:40AM -0500, Bugs in Net-SSLeay via RT wrote:

> > If OpenSSL is switched into FIPS mode, some tests do not pass. That's > > because testing data use weak algorithms not available in FIPS mode. > > E.g. t/data/key.pem.e is encrypted using DES but DES as well as MD5 is > > not available in FIPS mode. > > > > It would be great to upgrade all the tests to use stronger encryption. > > > > It would be much better to perform tests on the weakly and strongly > > encrypted data and to make tests tolerant to unavailable algorithms. (If > > I'm correct, current Net::SSLeay cannot parse OpenSSL error code to > > retrieve failure reason, ERR_GET_REASON(3).)

> > Here is my patch set that adjusts tests to pass in FIPS mode. It's against > Net-SSLeay-1.49 and the diff is in git format because of binary patches on > PKCS#12 files (be ware patch from binutils does work on it correctly). > > Each patch touches one test for easier review. > > It passes on 1.0.1c. With enabled and with disabled FIPS mode. Some other > OpenSSL versions can segfault in FIPS mode due to a bug in the OpenSSL. > There is also an issue with listing available digest algorithms when the > list obtained with P_EVP_MD_list_all() does not match list obtained with > "openssl list-message-digest-algorithms". It's not fatal for Net-SSLeay, > and I think it should be resolved in OpenSSL. > > The patches change tests only. If you would like to add FIPS_mode() or > to add FIPS mode according to OPENSSL_FIPS variable, I can provide necessary > changes too, but first I'd like to ask tou to provide me SVN repository URL > because I could find ViewVCS web interface only which is not usable for > cloning the repository. > > -- Petr

-- Mike McCauley mikem@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

Fri Nov 30 09:08:01 2012 ppisar [...] redhat.com - Correspondence added

Subject:	Re: [rt.cpan.org #81347] Tests do not pass when OpenSSL runs in FIPS mode
Date:	Fri, 30 Nov 2012 15:07:46 +0100
To:	"mikem [...] open.com.au via RT" <bug-Net-SSLeay [...] rt.cpan.org>
From:	Petr Pisar <ppisar [...] redhat.com>

On Fri, Nov 30, 2012 at 08:44:39AM -0500, mikem@open.com.au via RT wrote: Show quoted text

> <URL: https://rt.cpan.org/Ticket/Display.html?id=81347 > > > Will this patch work with all current and older versions of openssl, with or > without FIPS mode compiled? >

They do not call any FIPS related functions. And the other calls are conditionalized by OpenSSL version exactly the same way you already have in thests. I tested only 1.0.0j and 1.0.1c versions compiled with FIPS. -- Petr

Download (untitled)
application/pgp-signature 230b

Message body not shown because it is not plain text.

Sat Dec 01 18:27:53 2012 mikem [...] open.com.au - Correspondence added

Subject:	Re: [rt.cpan.org #81347] Tests do not pass when OpenSSL runs in FIPS mode
Date:	Sun, 02 Dec 2012 09:27:34 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] open.com.au>

Hello, thanks for the patch. It works fine for openssl 1.* without FIPS mode, but does not succeed with openssl-0.9.8i as shown below. I wont be able to apply this patch unless it is backwards compatible with earlier versions of openssl still in common use. Cheers. cc -c -I/tmp/openssl-0.9.8i+extensions/include -D_REENTRANT -D_GNU_SOURCE - DPERL_USE_SAFE_PUTENV -fno-strict-aliasing -pipe -fstack-protector - D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -O2 -g -DVERSION=\"1.49\" - DXS_VERSION=\"1.49\" -fPIC "-I/usr/lib/perl5/5.16.0/i586-linux-thread- multi/CORE" SSLeay.c Running Mkbootstrap for Net::SSLeay () chmod 644 SSLeay.bs rm -f blib/arch/auto/Net/SSLeay/SSLeay.so LD_RUN_PATH="/lib" cc -shared -fomit-frame-pointer -fmessage-length=0 -O2 - Wall -D_FORTIFY_SOURCE=2 -fstack-protector -funwind-tables -fasynchronous- unwind-tables -g -Wall -pipe SSLeay.o -o blib/arch/auto/Net/SSLeay/SSLeay.so \ -L/tmp/openssl-0.9.8i+extensions -L/tmp/openssl-0.9.8i+extensions/lib -lssl -lcrypto -lz \ chmod 755 blib/arch/auto/Net/SSLeay/SSLeay.so cp SSLeay.bs blib/arch/auto/Net/SSLeay/SSLeay.bs chmod 644 blib/arch/auto/Net/SSLeay/SSLeay.bs PERL_DL_NONLAZY=1 /usr/bin/perl "-MExtUtils::Command::MM" "-e" "test_harness(0, 'inc', 'blib/lib', 'blib/arch')" t/local/*.t t/handle/local/*.t t/handle/local/05_use.t ................ ok t/local/01_pod.t ....................... ok t/local/02_pod_coverage.t .............. skipped: Test::Pod::Coverage 1.00 required for testing POD coverage t/local/03_use.t ....................... ok t/local/04_basic.t ..................... 1/6 # Version info: # Testing Net::SSLeay 1.49, Perl 5.016000, /usr/bin/perl # OpenSSL version: 'OpenSSL 0.9.8i 15 Sep 2008' # OpenSSL platform: 'platform: linux-elf' t/local/04_basic.t ..................... ok t/local/05_passwd_cb.t ................. 1/13 # Failed test 'CTX_use_PrivateKey_file works with right passphrase and userdata' # at t/local/05_passwd_cb.t line 63. # Failed test 'CTX_use_PrivateKey_file works with right passphrase and userdata' # at t/local/05_passwd_cb.t line 66. # Failed test 'CTX_use_PrivateKey_file works with right passphrase and without userdata' # at t/local/05_passwd_cb.t line 69. # Looks like you failed 3 tests of 13. t/local/05_passwd_cb.t ................. Dubious, test returned 3 (wstat 768, 0x300) Failed 3/13 subtests t/local/06_tcpecho.t ................... ok t/local/07_sslecho.t ................... ok t/local/08_pipe.t ...................... ok t/local/15_bio.t ....................... ok t/local/20_autoload.t .................. ok t/local/21_constants.t ................. ok t/local/30_error.t ..................... ok t/local/31_rsa_generate_key.t .......... ok t/local/32_x509_get_cert_info.t ........ ok t/local/33_x509_create_cert.t .......... ok t/local/34_x509_crl.t .................. ok t/local/35_ephemeral.t ................. ok t/local/36_verify.t .................... ok t/local/37_asn1_time.t ................. ok t/local/38_priv-key.t .................. 1/10 # Failed test 'PEM_read_bio_PrivateKey encrypted - callback' # at t/local/38_priv-key.t line 24. # Failed test 'PEM_read_bio_PrivateKey encrypted - password' # at t/local/38_priv-key.t line 29. # Looks like you failed 2 tests of 10. t/local/38_priv-key.t .................. Dubious, test returned 2 (wstat 512, 0x200) Failed 2/10 subtests t/local/39_pkcs12.t .................... ok t/local/40_npn_support.t ............... skipped: openssl 1.0.1 required t/local/50_digest.t .................... ok t/local/61_threads-cb-crash.t .......... ok t/local/62_threads-ctx_new-deadlock.t .. ok t/local/kwalitee.t ..................... ok Test Summary Report ------------------- t/local/05_passwd_cb.t (Wstat: 768 Tests: 13 Failed: 3) Failed tests: 5, 7, 9 Non-zero exit status: 3 t/local/38_priv-key.t (Wstat: 512 Tests: 10 Failed: 2) Failed tests: 4, 6 Non-zero exit status: 2 Files=27, Tests=2567, 5 wallclock secs ( 0.21 usr 0.02 sys + 4.42 cusr 0.20 csys = 4.85 CPU) Result: FAIL Failed 2/27 test programs. 5/2567 subtests failed. make: *** [test_dynamic] Error 255 On Friday, November 30, 2012 09:08:02 AM you wrote: Show quoted text

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=81347 > > > On Fri, Nov 30, 2012 at 08:44:39AM -0500, mikem@open.com.au via RT wrote:

> > <URL: https://rt.cpan.org/Ticket/Display.html?id=81347 > > > > > Will this patch work with all current and older versions of openssl, with > > or without FIPS mode compiled?

> > They do not call any FIPS related functions. And the other calls are > conditionalized by OpenSSL version exactly the same way you already have in > thests. I tested only 1.0.0j and 1.0.1c versions compiled with FIPS. > > -- Petr

-- Mike McCauley mikem@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

Mon Dec 03 09:13:06 2012 ppisar [...] redhat.com - Correspondence added

Subject:	Re: [rt.cpan.org #81347] Tests do not pass when OpenSSL runs in FIPS mode
Date:	Mon, 3 Dec 2012 15:12:52 +0100
To:	"mikem [...] open.com.au via RT" <bug-Net-SSLeay [...] rt.cpan.org>
From:	Petr Pisar <ppisar [...] redhat.com>

On Sat, Dec 01, 2012 at 06:27:54PM -0500, mikem@open.com.au via RT wrote: Show quoted text

> > It works fine for openssl 1.* without FIPS mode, but does not succeed with > openssl-0.9.8i as shown below. I wont be able to apply this patch unless it > is backwards compatible with earlier versions of openssl still in common > use. >

You are right, it does not work with 0.9.8 because such old library does not load some strong hash algorithms by default. Attached patch should fix it. I tested it with 0.9.8x in non-FIPS mode and with the two 1.* with and without FIPS. -- Petr

Message body is not shown because sender requested not to inline it.

Download (untitled)
application/pgp-signature 230b

Message body not shown because it is not plain text.

Mon Dec 03 20:52:26 2012 mikem [...] open.com.au - Correspondence added

Subject:	Re: [rt.cpan.org #81347] Tests do not pass when OpenSSL runs in FIPS mode
Date:	Tue, 04 Dec 2012 11:52:08 +1000
To:	bug-Net-SSLeay [...] rt.cpan.org
From:	Mike McCauley <mikem [...] open.com.au>

Hello, thanks for your second patch. IT tests fine with 0.9.8 Your patches have now been incorporated in SVN 360 On Monday, December 03, 2012 09:13:08 AM Petr Pisar via RT wrote: Show quoted text

> Queue: Net-SSLeay > Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=81347 > > > On Sat, Dec 01, 2012 at 06:27:54PM -0500, mikem@open.com.au via RT wrote:

> > It works fine for openssl 1.* without FIPS mode, but does not succeed with > > openssl-0.9.8i as shown below. I wont be able to apply this patch unless > > it > > is backwards compatible with earlier versions of openssl still in common > > use.

> > You are right, it does not work with 0.9.8 because such old library does not > load some strong hash algorithms by default. Attached patch should fix it. > I tested it with 0.9.8x in non-FIPS mode and with the two 1.* with and > without FIPS. > > -- Petr

-- Mike McCauley mikem@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

Thu Feb 07 21:04:02 2013 MIKEM [...] cpan.org - TimeWorked changed from (no value) to '30'

Thu Feb 07 21:04:02 2013 MIKEM [...] cpan.org - Status changed from 'open' to 'resolved'

Thu Feb 07 21:04:02 2013 MIKEM [...] cpan.org - Given to MIKEM