This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 1.2.x in repository https://gitbox.apache.org/repos/asf/tomcat-native.git
commit dd89296c52628d83f56d1bcb687c395f6f38cc43 Author: Mark Thomas <ma...@apache.org> AuthorDate: Thu Sep 28 12:17:14 2023 +0100 Update the FIPS instructions --- native/BUILDING | 49 ++++++------------------------------------------- 1 file changed, 6 insertions(+), 43 deletions(-) diff --git a/native/BUILDING b/native/BUILDING index cd2473fc5..51793e02a 100644 --- a/native/BUILDING +++ b/native/BUILDING @@ -148,48 +148,11 @@ Windows Note: Use ENABLE_OCSP=1 to create OCSP enabled builds -Windows with FIPS -================= +FIPS +==== -The steps are broadly the same as the non-FIPS build with the following additions and changes. +No additional build steps are required. Configure OpenSSL to use the FIPS +certified provider as the default provider as described in the OpenSSL +documentation: -Note: The build process has only been verified with 64-bit Windows. The process - for 32-bit Windows should be very similar. - -1. Build the FIPS object module - - This step should be completed immediately before building OpenSSL. - - Unpack the openssl-fips-2.0.x.tar.gz distribution into native\srclib\openssl-fips - The tar.gz contains symbolic links. Ensure you unpack the archive with a tool - that replaces these with the linked file or manually replace the symbolic - links with associated the linked file before continuing. - - > c:\cmsc\setenv.bat /x64 - > set FIPSDIR=%cd%\lib-x64 - > ms\do_fips - -2. Modify the OpenSSL build configuration - - Add 'fips' to the OpenSSL build configuration - - > perl Configure VC-WIN64A fips - -3. Test the OpenSSL build - - This step should be completed immediately after building OpenSSL. - - > SET OPENSSL_FIPS=1 - > openssl md5 openssl.exe - - This should fail since MD5 is disabled in FIPS mode. - - > SET OPENSSL_FIPS= - > openssl md5 openssl.exe - - This should work. - -4. Modify the tc-native build configuration - - > c:\cmsc\setenv.bat /x64 - > nmake -f NMAKEMakefile WITH_APR=srclib\apr\WINXP_X64_LIB_RELEASE WITH_OPENSSL=srclib\openssl\release-x64 WITH_FIPS=srclib\openssl-fips\lib-x64 APR_DECLARE_STATIC=1 + https://www.openssl.org/docs/man3.0/man7/fips_module.html --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org