[SERVER-24350] Enabling SSL FIPS mode fails with unexpected error message on Ubuntu 16.04 Created: 01/Jun/16 Updated: 08/Aug/19 Resolved: 07/Oct/16 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Internal Code, Portability |
| Affects Version/s: | 3.2.6, 3.3.6 |
| Fix Version/s: | 3.2.13, 3.4.0-rc1 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Spencer Jackson | Assignee: | Spencer Jackson |
| Resolution: | Done | Votes: | 0 |
| Labels: | bkp | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||
| Backwards Compatibility: | Fully Compatible | ||||||||||||
| Operating System: | ALL | ||||||||||||
| Backport Requested: |
v3.2
|
||||||||||||
| Sprint: | Platforms 2017-03-27 | ||||||||||||
| Participants: | |||||||||||||
| Linked BF Score: | 0 | ||||||||||||
| Description |
|
Currently, the ssl_fips.js test fails on Ubuntu 16.04. This test attempts to activate FIPS mode and then, if FIPS fails to activate, ensures that the printed error message is consistent with the OS not providing a FIPS module. On Ubuntu 14.04, we get the correct error message:
This message clearly indicates that FIPS is unavailable in OpenSSL. On Ubuntu 16.04, the following error message is printed:
The SSL integration appears to be detecting that FIPS is unavailable, but for some reason OpenSSL is not setting an error code. |
| Comments |
| Comment by Githook User [ 10/Apr/17 ] | ||||||||
|
Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: (cherry picked from commit 0508bae1af9d95a36a12ec20c23f2adbafe4b738) | ||||||||
| Comment by Githook User [ 07/Oct/16 ] | ||||||||
|
Author: {u'username': u'spencerjackson', u'name': u'Spencer Jackson', u'email': u'spencer.jackson@mongodb.com'}Message: | ||||||||
| Comment by Spencer Jackson [ 02/Jun/16 ] | ||||||||
|
I filed a report of this issue upstream here: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1588524 | ||||||||
| Comment by Spencer Jackson [ 01/Jun/16 ] | ||||||||
|
I suspect that the patch openssl_1.0.2g-ubuntu-fips-cleanup.patch contained in https://launchpad.net/ubuntu/+archive/primary/+files/openssl_1.0.2g-1ubuntu4.1.debian.tar.xz , which is referenced from https://launchpad.net/ubuntu/xenial/+source/openssl may have something to do with this. It contains the following change:
I believe this would clear the returned error message, as we are seeing. I will file a report upstream, but in the meantime I will add an exception to this test which will recognize this particular error message, along with a comment to remove the exception after the resolution of this ticket. |