Hello Dr. Thanks for the solution. It worked out. For others I am giving the steps: 1)create FIPS Object module. 2)download http://www.openssl.org/source/openssl-0.9.8r.tar.gz 3)untar and run following commands in order to build and install a)./config fips --with-fipslibdir=<PATH to FIPS OBJECT example:/usr/local/ssl/fips-1.0/lib> b)make c)make install 4) done. I tried to create certificate with the fips capable Openssl
Thanks Prab(rock) Dr. Stephen Henson wrote: > > On Thu, Aug 25, 2011, rockrider33 wrote: > >> >> Hi All, >> >> I am new to linux and openssl stuff. >> >> I have tried to install OpenSSL (1.2.3 with fips)with FIPS module and >> it's >> successful. (built and installed) >> >> For building: >> i had used make and gcc version 4.3.4 >> >> I hope installation was successful and it created FIPS module and openssl >> binary (usr/local/ssl/fips1-0/bin) >> Note: my machine already installed with openssl 0.9.8h. I didnt uninstall >> it. >> >> what i tried is, >> 1.executed /usr/local/ssl/fips1-0/bin/openssl this binary and created >> self >> signed certificate "key" -successful >> 2.Using same command, trying to create certificate signing request and it >> failed with "Invalid instruction" >> 3.I saw system logs, it had an entry >> Aug 23 05:11:36 lglor248 kernel: [14103.238431] openssl[15942] trap >> invalid >> opcode ip:7fcb3cc886d0 sp:7fff7a02c9a8 error:0 in >> libcrypto.so.0.9.8[7fcb3cb90000+16a000] >> >> I had some googling on this and found a relevant link: >> http://forum.doom9.org/archive/index.php/t-125808.html >> >> But i don't feel my gcc version would be causing this issue since that >> post >> was quite old and i have almost latest gcc. >> >> It will be appreciated if any one helps me out on this.. >> >> NOTE: i used the openssl command which i created and never used existing >> installation (old 0.9.8h). >> > > The usual cause of this is if you attempt to use the version of OpenSSL > that > comes with the validated module: don't do that as it is old and newer > versions > of gcc do horrible things when you try to use it. > > Instead use the validated tarball to build the module and then use the > latest version of OpenSSL to link against the module, a so called "FIPS > capable OpenSSL". Details in the user guide. > > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [email protected] > > -- View this message in context: http://old.nabble.com/OpenSSL-FIPS-module-self-signed-certificate-creation-failed-tp32333668p32354713.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
