Haproxy with FIPS failing

Hi Experts,

Looking for some help. I’ve compiled HAproxy in FIPs mode and while running haproxy I’m getting fingerprint mismatch error. I’ve followed the standard procedure to build a FIPS module using OpenSSL UserGuide 2.0. But not sure what part is missing.

:~$ openssl version
OpenSSL 1.0.2q-fips 20 Nov 2018

:~$ haproxy -vv
error initializing FIPS mode
0:error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:232:

That’s most likely a build issue. What’s the output of ldd haproxy? Did you compile openssl statically?

Hi Lukas,

Thanks for your response. I followed the standard procedure to build the FIPS module. If I try running Openssl commands via FIPS enabled it didn’t give me any errors:

root@haproxyOpenSSLFIPS-02:/home/ubuntu# OPENSSL_FIPS=1 openssl md5 haproxy-1.9.2.tar.gz
Error setting digest md5
140197799200408:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:

But if I try via haproxy it initialize to fail due to fingerprint error:
I compiled haproxy build via following make command:

make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 SSL_INC=/usr/local/ssl/include SSL_LIB=/usr/local/ssl/lib/

Where as FIPS module path is: /usr/local/ssl/fips-2.0

I’m thinking may be issue is at the path end while using make for haproxy (as above ^) but not sure.

Here is ldd haproxy result:

root@haproxyOpenSSLFIPS-02:/home/ubuntu/haproxy-1.9.2# ldd haproxy
linux-vdso.so.1 => (0x00007ffcd331c000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fa12fef2000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fa12fcd8000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fa12fabb000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fa12f8b3000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fa12f6af000)
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fa12f43f000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa12f075000)
/lib64/ld-linux-x86-64.so.2 (0x00007fa13012a000)


Sorry I don’t know what’s wrong and I don’t have the time to dig into the fips specifics. Maybe you can get someone on openssl-users list to help you? They will certainly have more experience with those fips builds, whatever the application.

I’ll check on openssl forum. thanks Lukas

Hi Lucas,
If you have the standard procedure to build HA proxy in the FIPS mode, then please share the procedure with me in the email: arun.viswanath@gmail.com

There is not.