On Wed, Feb 19, 2014 at 8:51 PM, Dr Stephen Henson <shen...@opensslfoundation.com> wrote: > > On 20/02/2014 02:40, William A. Rowe Jr. wrote: > > First insight, did you ./config openssl, or ./config shared? It seems near > > impossible to use static openssl. apr-util configure will fail since > > pkgconfig > > isn't consulted properly. httpd configure would also likely fail for > > redundant > > symbols. > > > > A static OpenSSL FIPS build will also have problems as statically built FIPS > applications need to be linked with fipsld. It will appear to work until you > try > to enable FIPS mode and you'll then get a fatal "signature does not match" > error. > > If you build and install a shared version of the FIPS capable OpenSSL this > shouldn't happen.
Uhm, with one caveat... did the missing --noexecstack Configure.PL bugs (for -Wa and -Wl,-z) ever get resolved? Certain death under any modern gcc for a relocatable libcrypto.so containing the fips self-check code.