Hi Tom, Thanks for your reply. I did read the user guide and do understand that I cannot use the library directly. This is shown in my explanation where I try to change the compiler to use the script. Thanks for all the other suggestions - I will definitively order the CD.
After I read your email, I again read the user guide and could not find fault in my method. So the only thing left to do is search for an error with SCons. Eventually I found the correct way to change the compiler settings and now the application is able to change between FIPS and non-FIPS mode. For anybody else interested in the solution, here it is (working with most of what I explained in original message): : cc = env['CC'] env.Replace(CC = "FIPSLD_CC=" + cc + " /usr/local/ssl/fips-2.0/bin/fipsld") : Thanks again for all the help and emails Leon Brits -----Original Message----- From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On Behalf Of Tom Francis Sent: 08 March 2013 04:01 PM To: openssl-dev@openssl.org Subject: Re: FIPS mode I strongly recommend reading the user guide, as it'll help a lot. You need to do more than simply link your application with libcrypto and libssl. There's a sample shell script, fipsld, that's also provided in the distribution that shows the necessary actions (and can even be called in place of ld on most UNIX and UNIX-like systems). Additionally, if you truly needs FIPS 140 mode, you don't want to simply download openssl-fips-2.0.2, as the new requirements from the CMVP indicate that you need a trusted path for obtaining the source code, and that you need to verify your source package with a FIPS 140 approved algorithm (again, it's explained in the user's guide). The best way to do get what you need is to request a CD-ROM with the right stuff (again, see the User Guide). http://www.openssl.org/docs/fips/UserGuide-2.0.pdf On Mar 8, 2013, at 2:27 AM, Leon Brits wrote: > Hi list, > > I am not able to enable FIPS mode. FIPS_mode_set(1) fails. > Our build system uses SCons so I hope somebody can help me... > > First: I downloaded openssl-fips-2.0.2 and openssl-1.0.1e and extracted them. > Next: In the openssl-fips-2.0.2 directory I typed: > ./config > make > sudo make install > > This created the directory /usr/local/ssl/fips-2.0 and some other such > as the /usr/local/ssl/include directory > > Next: in the openssl-.1.0.1 directory I typed: > ./config fips > make > sudo make install > > which added some more files and directories to the /usr/local/ssl directory > such as bin and lib. I made a symbolic link to /usr/bin/openssl from > /usr/local/ssl/bin/openssl and "openssl version" reports "OpenSSL 1.0.1e-fips > ...". All seem fine. > > Next: I want to use the static libraries with my app so I added the following > code to SConstruct which compiles my app: > libssl = File('/usr/local/ssl/lib/libssl.a') > libcrypto = File('/usr/local/ssl/lib/libcrypto.a') > env.Append(LIBS = [libssl, libcrypto, ....]) > > as well as prepending the path to the new includes so that it will be used > instead of default installed includes: > > env.Prepend(CPPPATH = > ['/usr/local/ssl/include','/usr/include','/usr/local/include']) > > I also changed my environment compiler variable from cc="gcc" to cc="fipsld". > > The compilation completes successfully, but when I execute the application > simply refuses to enter FIPS mode. > > Any suggestions? (please) > > Thanks > Leon Brits > > > > > Leon Brits > Senior Design Engineer > ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
