Bill, This may help - I just did the same using latest Ubuntu Release
Jack D. Pond "It's not hard to meet expenses, they're everywhere." ---------- sudo apt-get build-essential # if you haven't already wget http://www.openssl.org/source/openssl-fips-1.2.3.tar.gz.sha1 wget http://www.openssl.org/source/openssl-fips-1.2.3.tar.gz sha1sum openssl-fips-1.2.3.tar.gz cat openssl-fips-1.2.3.tar.gz.sha1 env OPENSSL_FIPS=1 openssl sha1 -hmac etaonrishdlcupfm openssl-fips-1.2.3.tar.gz echo # Correct result can be found in Appendix B of User Guide tar -zxvf openssl-fips-1.2.3.tar.gz cd openssl-fips-1.2.3 # Make the cannister ./config fipscanisterbuild make sudo make install sudo vim /usr/local/ssl/fips-1.0/openssl.cnf # make fips-mode=yes # ./config fips --with-fipslibdir="/usr/local/ssl/fips-1.0/lib" make sudo make install sudo vim /etc/ld.so.conf.d/FIPS.conf # add the following line (or whatever was specified in the build command as OpenSSL shared libraries have been installed in: /usr/local/ssl/fips-1.0 # Then activate the link library: sudo ldconfig # Create a symbolic link in the executables: # Change aparmor sudo vim /etc/apparmor.d/abstractions/openssl # add this line /usr/local/ssl/fips-1.0/openssl.cnf r, # sudo mv /usr/bin/openssl /usr/bin/openssl.save sudo ln -s /usr/local/ssl/fips-1.0/bin/openssl /usr/bin/openssl # Test openssl version ----------------- > -----Original Message----- > From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] > On Behalf Of Bill Durant > Sent: Wednesday, November 02, 2011 1:25 AM > To: openssl-users@openssl.org > Cc: Bill Durant > Subject: Re: How to build a FIPS-capable OpenSSL on Ubuntu Linux from the latest > snapshots? > > On Nov 1, 2011, at 4:34 PM, Bill Durant wrote: > > On Nov 1, 2011, at 4:23 PM, Dr. Stephen Henson wrote: > >> On Tue, Nov 01, 2011, Bill Durant wrote: > >> > >>> Hello, > >>> > >>> What is the procedure for building a FIPS-capable OpenSSL snapshot on Ubuntu > 8.04.4 LTS from the following snapshots: > >>> > >> > >> > >>> > >>> ftp://ftp.openssl.org/snapshot/openssl-1.0.1-stable-SNAP-20111031.ta > >>> r.gz > >>> > >>> > >>> ftp://ftp.openssl.org/snapshot/openssl-fips-2.0-test-20111031.tar.gz > >>> > >>> When I try to build it, I get the following compilation error: > >>> > >>> ====== > >>> In file included from hm_pmeth.c:64: > >>> ../evp/evp_locl.h:359:1: error: "SHA1_Init" redefined In file > >>> included from /tmp/foo/include/openssl/crypto.h:151, > >>> from ../cryptlib.h:72, > >>> from hm_pmeth.c:59: > >>> /tmp/foo/include/openssl/fipssyms.h:456:1: error: this is the > >>> location of the previous definition ====== > >>> > >>> $ ./config fipscanisterbuild no-asm > >>> ... > >>> ... > >>> Configured for linux-elf. > >>> > >> > >> Avoid no-asm: currently no one wants a C only platform so it wont be > >> a supported platform. It will be *much* slower. > > > > > > OK > > > > > >> > >>> > >>> $ ./config fips --prefix=$FIPSDIR no-idea no-mdc2 no-rc5 no-asm ... > >>> ... > >>> Since you've disabled or enabled at least one algorithm, you need to > >>> do the following before building: > >>> > >>> make depend > >>> > >> > >> Don't do "make depend" it gets a bit confused. Just doing "make" > >> should work fine. > >> > >> Steve. > > > > > > When I skip doing 'make depend' and just do 'make' I get the following compilation > error: > > > > gcc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -fPIC -DOPENSSL_PIC - > DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,-- > noexecstack -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall - > DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 - > DOPENSSL_BN_ASM_MONT -I/tmp/foo/include -DSHA1_ASM -DSHA256_ASM - > DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM -c - > o e_bf.o e_bf.c > > make[2]: *** No rule to make target `../../include/openssl/idea.h', needed by `e_idea.o'. > Stop. > > make[2]: Leaving directory `/home/bdurant/svn/trunk/Crypto/Linux/openssl-1.0.1- > stable-SNAP-20111031/crypto/evp' > > make[1]: *** [subdirs] Error 1 > > make[1]: Leaving directory `/home/bdurant/svn/trunk/Crypto/Linux/openssl-1.0.1- > stable-SNAP-20111031/crypto' > > make: *** [build_crypto] Error 1 > > > > What else am I missing? > > > > Thanks, > > > > Bill > > > I hacked my way thru this compilation error with the following: > > $ cd openssl-1.0.1-stable-SNAP-20111031 > $ ./config fips --prefix=/tmp/foo no-idea no-mdc2 no-rc5 shared $ cp crypto/mdc2/*.h > include/openssl $ cp crypto/idea/*.h include/openssl $ make > > Let me know if there is something wrong with doing that. > > Bill > > > > > > >> -- > >> Dr Stephen N. Henson. OpenSSL project core developer. > >> Commercial tech support now available see: http://www.openssl.org > >> > ____________________________________________________________________ > __ > >> OpenSSL Project http://www.openssl.org > >> User Support Mailing List openssl-users@openssl.org > >> Automated List Manager majord...@openssl.org > > > > ____________________________________________________________________ > __ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
