Haproxy with FIPS failing

alitahir · February 5, 2019, 6:38am

Hi Experts,

Looking for some help. I’ve compiled HAproxy in FIPs mode and while running haproxy I’m getting fingerprint mismatch error. I’ve followed the standard procedure to build a FIPS module using OpenSSL UserGuide 2.0. But not sure what part is missing.

:~$ openssl version
OpenSSL 1.0.2q-fips 20 Nov 2018

:~$ haproxy -vv
error initializing FIPS mode
0:error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:232:

lukastribus · February 7, 2019, 4:50pm

That’s most likely a build issue. What’s the output of ldd haproxy? Did you compile openssl statically?

alitahir · February 7, 2019, 9:23pm

Hi Lukas,

Thanks for your response. I followed the standard procedure to build the FIPS module. If I try running Openssl commands via FIPS enabled it didn’t give me any errors:

root@haproxyOpenSSLFIPS-02:/home/ubuntu# OPENSSL_FIPS=1 openssl md5 haproxy-1.9.2.tar.gz
Error setting digest md5
140197799200408:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:

But if I try via haproxy it initialize to fail due to fingerprint error:
I compiled haproxy build via following make command:

make TARGET=linux2628 USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 SSL_INC=/usr/local/ssl/include SSL_LIB=/usr/local/ssl/lib/

Where as FIPS module path is: /usr/local/ssl/fips-2.0

I’m thinking may be issue is at the path end while using make for haproxy (as above ^) but not sure.

Here is ldd haproxy result:

root@haproxyOpenSSLFIPS-02:/home/ubuntu/haproxy-1.9.2# ldd haproxy
linux-vdso.so.1 => (0x00007ffcd331c000)
libcrypt.so.1 => /lib/x86_64-linux-gnu/libcrypt.so.1 (0x00007fa12fef2000)
libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fa12fcd8000)
libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0 (0x00007fa12fabb000)
librt.so.1 => /lib/x86_64-linux-gnu/librt.so.1 (0x00007fa12f8b3000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fa12f6af000)
libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007fa12f43f000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fa12f075000)
/lib64/ld-linux-x86-64.so.2 (0x00007fa13012a000)

Regards

lukastribus · February 7, 2019, 10:59pm

Sorry I don’t know what’s wrong and I don’t have the time to dig into the fips specifics. Maybe you can get someone on openssl-users list to help you? They will certainly have more experience with those fips builds, whatever the application.

alitahir · February 8, 2019, 1:40am

I’ll check on openssl forum. thanks Lukas