在 FIPS 模式下运行时 Apache 无法启动

在 FIPS 模式下运行时 Apache 无法启动

问题描述

根据Ubuntu FIPS 140-2 常见问题解答文档 Apache2 在安装了 Ubuntu Pro FIPS 140-2 模块时“已知可以工作”。但是当我打开指令时,SSLFIPSApachemod_ssl无法启动,并出现以下错误:

Oct 10 19:36:14 apache-fips apachectl[1831]: AH00526: Syntax error on line 227 of /etc/apache2/apache2.conf:
Oct 10 19:36:14 apache-fips apachectl[1831]: SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS
Oct 10 19:36:14 apache-fips apachectl[1829]: Action 'stop' failed.
Oct 10 19:36:14 apache-fips apachectl[1829]: The Apache error log may have more information.
Oct 10 19:36:14 apache-fips systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE
Oct 10 19:36:14 apache-fips systemd[1]: apache2.service: Failed with result 'exit-code'.

我的目标是使用 Apache 提供 Web 应用程序,并通过 FIPS 验证的加密保护传输。

相关版本:

apache2 2.4.41-4ubuntu3.12
openssl 1.1.1f-1ubuntu2.fips.16

复制步骤

  1. 启用fips-updates并重新启动(我也尝试过ua enable fips):
root@apache-fips:~# ua enable fips-updates
One moment, checking your subscription first
This will install the FIPS packages including security updates.
Warning: This action can take some time and cannot be undone.
Are you sure? (y/N) y
Updating package lists
Installing FIPS Updates packages
FIPS Updates enabled
A reboot is required to complete install.
root@apache-fips:~# reboot
  1. 验证不符合 FIPS 标准的算法是否失败 (MD5) 以及符合 FIPS 标准的算法是否成功 (SHA256):
root@apache-fips:~# openssl md5 /proc/sys/crypto/fips_enabled
Error setting digest
139974463972608:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:../crypto/evp/digest.c:135:
root@apache-fips:~# openssl sha256 /proc/sys/crypto/fips_enabled
SHA256(/proc/sys/crypto/fips_enabled)= 4355a46b19d348dc2f57c046f8ef63d4538ebb936000f3c9ee954a27460dd865
  1. 验证 HTTPS 请求是否成功:
root@apache-fips:~# curl -Ik https://127.0.0.1
HTTP/1.1 200 OK
Date: Mon, 10 Oct 2022 19:33:44 GMT
Server: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f
Last-Modified: Fri, 09 Sep 2022 20:11:13 GMT
ETag: "2aa6-5e84425cf6d1f"
Accept-Ranges: bytes
Content-Length: 10918
Vary: Accept-Encoding
Content-Type: text/html
  1. 使能够SSLFIPS 指示告诉mod_ssl使用 FIPS 加密:
root@apache-fips:~# grep SSLFIPS /etc/apache2/apache2.conf 
SSLFIPS on
  1. 重新启动 Apache 并观察服务失败:
Oct 10 19:36:14 apache-fips apachectl[1831]: AH00526: Syntax error on line 227 of /etc/apache2/apache2.conf:
Oct 10 19:36:14 apache-fips apachectl[1831]: SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS
Oct 10 19:36:14 apache-fips apachectl[1829]: Action 'stop' failed.
Oct 10 19:36:14 apache-fips apachectl[1829]: The Apache error log may have more information.
Oct 10 19:36:14 apache-fips systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE
Oct 10 19:36:14 apache-fips systemd[1]: apache2.service: Failed with result 'exit-code'.
Oct 10 19:36:14 apache-fips systemd[1]: Stopped The Apache HTTP Server.

有人可以帮忙吗?

相关内容