Score:2

Apache fails to start when running in FIPS mode

fj flag

Problem Description

According to the Ubuntu FIPS 140-2 FAQ document Apache2 is "known to work" when the Ubuntu Pro FIPS 140-2 modules are installed. However when I turn on the SSLFIPS directive for mod_ssl Apache fails to start with the following error:

Oct 10 19:36:14 apache-fips apachectl[1831]: AH00526: Syntax error on line 227 of /etc/apache2/apache2.conf:
Oct 10 19:36:14 apache-fips apachectl[1831]: SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS
Oct 10 19:36:14 apache-fips apachectl[1829]: Action 'stop' failed.
Oct 10 19:36:14 apache-fips apachectl[1829]: The Apache error log may have more information.
Oct 10 19:36:14 apache-fips systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE
Oct 10 19:36:14 apache-fips systemd[1]: apache2.service: Failed with result 'exit-code'.

My goal is to serve a web application using Apache, with the transport protected by FIPS-validated crypto.

Relevant versions:

apache2 2.4.41-4ubuntu3.12
openssl 1.1.1f-1ubuntu2.fips.16

Replication Steps

  1. Enable fips-updates and reboot (I have also tried with ua enable fips):
root@apache-fips:~# ua enable fips-updates
One moment, checking your subscription first
This will install the FIPS packages including security updates.
Warning: This action can take some time and cannot be undone.
Are you sure? (y/N) y
Updating package lists
Installing FIPS Updates packages
FIPS Updates enabled
A reboot is required to complete install.
root@apache-fips:~# reboot
  1. Verify that non-FIPS compliant algorithms fail (MD5) and that FIPS complaint algorithms succeed (SHA256):
root@apache-fips:~# openssl md5 /proc/sys/crypto/fips_enabled
Error setting digest
139974463972608:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:../crypto/evp/digest.c:135:
root@apache-fips:~# openssl sha256 /proc/sys/crypto/fips_enabled
SHA256(/proc/sys/crypto/fips_enabled)= 4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865
  1. Verify that an HTTPS request succeeds:
root@apache-fips:~# curl -Ik https://127.0.0.1
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2022 19:33:44 GMT
Server: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f
Last-Modified: Fri, 09 Sep 2022 20:11:13 GMT
ETag: "2aa6-5e84425cf6d1f"
Accept-Ranges: bytes
Content-Length: 10918
Vary: Accept-Encoding
Content-Type: text/html
  1. Enable SSLFIPS directive to tell mod_ssl to use FIPS crypto:
root@apache-fips:~# grep SSLFIPS /etc/apache2/apache2.conf 
SSLFIPS on
  1. Restart Apache and observe the service failure:
Oct 10 19:36:14 apache-fips apachectl[1831]: AH00526: Syntax error on line 227 of /etc/apache2/apache2.conf:
Oct 10 19:36:14 apache-fips apachectl[1831]: SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS
Oct 10 19:36:14 apache-fips apachectl[1829]: Action 'stop' failed.
Oct 10 19:36:14 apache-fips apachectl[1829]: The Apache error log may have more information.
Oct 10 19:36:14 apache-fips systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE
Oct 10 19:36:14 apache-fips systemd[1]: apache2.service: Failed with result 'exit-code'.
Oct 10 19:36:14 apache-fips systemd[1]: Stopped The Apache HTTP Server.

Can anyone help with that?

David avatar
cn flag
As Ubuntu Pro has not been released yet it is off topic on this site.
Mark Riddell avatar
fj flag
The Ubuntu Pro rebranding is new, but the FIPS 140-2 validated Crypto modules have been available since summer 2021 under the Ubuntu Advantage banner. See [here](https://csrc.nist.gov/CSRC/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp3966.pdf) and [here](https://ubuntu.com/blog/running-fips-140-workloads-on-ubuntu). Even the FAQ that I linked at the beginning of my post was last updated 10 months ago. The fact that the scheme has been renamed to Ubuntu Pro has no impact on my issue.
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.