mod_ssl with FIPS mode enabled and SSLRandomSeed

Question

I have traced through the mod_ssl and the OpenSSL FIPS code as best I can and I believe that the SSLRandomSeed configuration parameter given in the mod_ssl.conf file simply doesn't do anything useful when FIPS mode is enabled in mod_ssl.

Tracing the code in ssl_init_Module() appears to show that the function ssl_rand_seed() is called before FIPS mode is set. ssl_rand_seed() will perform seeding from the given SSLRandomSeed defined source(s), but once you switch to FIPS mode, the DRBG is re-created from scratch without retaining any of the information.

In fact, OpenSSL's FIPS mode appears to go out of its way to source from /dev/urandom, /dev/random and /dev/srandom (in that order) according to the DEVRANDOM macro defined in the OpenSSL base code e_os.h when compiled for a standard Linux target.

Does anyone have any experience with this combination?

Can they comment on how to provide a run-time selected entropy source such as a processed file? Do I have to recompile OpenSSL and supplying a new DEVRANDOM definition each time I want to change my randomness source?

Answer 1

Can they comment on how to provide a run-time selected entropy source such as a processed file? Do I have to recompile OpenSSL and supplying a new DEVRANDOM definition each time I want to change my randomness source?

I think there's three issues here. First, what is used for the PRNG when operating in FIPS mode; second, how do you seed the generator; and third, how does Apache/mod_ssl integrate with the first two.

First, when FIPS_mode_enable succeeds, then the default OpenSSL generator of md_rand is switched out. The DRBG used is specified in SP800-90 (sans the Dual-EC generator). By default, that's the AES/CTR generator. You are correct in that the previous seed is not longer used. This is discussed in general on the Random Numbers OpenSSL wiki page.

Second, the generator auto-seeds itself to ensure its in good working order. You can still call RAND_seed to add entropy to the generator because the RAND interface is pretty much agnostic to the underlying generator. This is discussed in general on the Random Numbers OpenSSL wiki page.

Third, there's a disconnect between Apache/mod_ssl and OpenSSL. Apparently, Apache/mod_ssl does not know about these details. You will probably need to write some glue code that understands how to work with OpenSSL and the RAND_* interface in particular. Perhaps you can do this by providing a custom mod.