Re: FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips
Jerry, All, I have built FIPS capable openssl 1.0.1c and formed shared libs(libcrypto.s0.1.0.0 and libssl.so.1.0.0) . Now i am trying to build apache to make it FIPS capable. Do you mind telling me the steps involved in building Apache with newly built openssl? (I am cross compiling, so have not installed openssl) I tried downloading and building *httpd-2.2.24*/ *apache_1.3.41* and *mod_ssl 1.3.39* , But i see compatibility issues. Can you point me which mod_ssl version is compatible to work with opensssl 1.0.1c/apache(latest). -- View this message in context: http://openssl.6102.n7.nabble.com/FIPS-enable-Apache-2-4-3-with-OpenSSL-1-0-1c-fips-tp42788p44538.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips
My issue is resolved. I had to add the following before calling httpd
configure:
export CC=fipsld
export FIPSLD_CC=gcc
Thanks.
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit
written agreement or government initiative expressly permitting the use of
e-mail for such purpose.
From: Jerry Blasdel/USA/CSC
To: Steve Marquess
Cc: openssl-users@openssl.org
Date: 12/20/2012 07:54 AM
Subject:Re: FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips
I modified the example slightly to fit our configuration.
The fips build may have worked. I get the following:
making install in fips/utl...
for i in fipsld fips_standalone_sha1 ; \
do \
echo "installing $i"; \
cp $i /usr/local/ssl/fips-2.0/bin/$i.new; \
chmod 755 /usr/local/ssl/fips-2.0/bin/$i.new; \
mv -f /usr/local/ssl/fips-2.0/bin/$i.new
/usr/local/ssl/fips-2.0/bin/$i; \
done
installing fipsld
installing fips_standalone_sha1
cp -p -f fipscanister.o fipscanister.o.sha1 \
fips_premain.c fips_premain.c.sha1 \
/usr/local/ssl/fips-2.0/lib/; \
chmod 0444 /usr/local/ssl/fips-2.0/lib/fips*
making install in test...
During the make depend for OpenSSL I get several warnings similar to this:
makedepend: warning: mdc2dgst.c: 69: #error MDC2 is disabled.
makedepend: warning: mdc2_one.c: 150: #error("Unrecognized compiler
protocol for variable argument lists")
Then, I get the following errors:
cc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -KPIC
-DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN
-DBN_DIV2W -DOPENSSL_BN_ASM_MONT -I/usr/local/ssl/fips-2.0/include
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM -c cmac.c
cc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -KPIC
-DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN
-DBN_DIV2W -DOPENSSL_BN_ASM_MONT -I/usr/local/ssl/fips-2.0/include
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM -c cm_ameth.c
cc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -KPIC
-DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN
-DBN_DIV2W -DOPENSSL_BN_ASM_MONT -I/usr/local/ssl/fips-2.0/include
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM -c cm_pmeth.c
ar r ../../libcrypto.a cmac.o cm_ameth.o cm_pmeth.o
/usr/ccs/bin/ranlib ../../libcrypto.a || echo Never mind.
if [ -n "libcrypto.so.1.0.0 libssl.so.1.0.0" ]; then \
(cd ..; make libcrypto.so.1.0.0); \
fi
[ -z "libcrypto" ] || cc -KPIC -DOPENSSL_PIC -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xtarget=ultra -xarch=v8plus -xO5
-xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DOPENSSL_BN_ASM_MONT
-I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
-DAES_ASM -DGHASH_ASM -Iinclude \
-DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso \
/usr/local/ssl/fips-2.0/lib/fips_premain.c
/usr/local/ssl/fips-2.0/lib/fipscanister.o \
libcrypto.a -lsocket -lnsl -ldl
ld: fatal: symbol 'bn_mul_mont_fpu' is multiply-defined:
(file /usr/local/ssl/fips-2.0/lib//fipscanister.o
type=FUNC; file libcrypto.a(sparcv9a-mont.o) type=FUNC);
ld: fatal: file processing errors. No output written to libcrypto.so.1.0.0
*** Error code 1
The following command caused the error:
if (/usr/local/ssl/fips-2.0/bin/fipsld -Wl,-V /dev/null 2>&1 | grep '^GNU
ld' )>/dev/null; then \
SHLIB_COMPAT=; SHLIB_SOVER=; if [ -n "1.0.0;" ]; then
prev=""; for v in `echo "1.0.0 ;" | cut -d';' -f1`; do
SHLIB_SOVER_NODOT=$v; SHLIB_SOVER=.$v; if [ -n "$prev" ]; then
SHLIB_COMPAT="$SHLIB_COMPAT .$prev"; fi; prev=$v; done; fi;
SHLIB=libcrypto.so; SHLIB_SUFFIX=; ALLSYMSFLAGS='-Wl,--whole-archive';
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; SHAREDFLAGS="-KPIC -DOPENSSL_PIC
-DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xtarget=ultra
-xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W
-DOPENSSL_BN_ASM_MONT -I/usr/local/ssl/fips-2.0/include -DSHA1_ASM
-DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM -G -dy -z text -shared
-Wl,-Bsymbolic -Wl,-soname=$SHLIB$SHLIB_SOVER$SHLIB_SUFFIX"; \
else \
SHLIB_COMPAT=; SHLIB_SOVER=; if [ -n "1.0.0;" ]; then
prev="&quo
Re: FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips
I'm still having the same original fingerprint error when I start Apache. [Fri Jan 04 20:22:27.251329 2013] [ssl:emerg] [pid 27764:tid 1] AH01885: FIPS mode failed [Fri Jan 04 20:22:27.251488 2013] [ssl:emerg] [pid 27764:tid 1] SSL Library Error: error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match [Fri Jan 04 20:22:27.251497 2013] [ssl:emerg] [pid 27764:tid 1] AH02312: Fatal error initialising mod_ssl, exiting. Are there tests that I can run against my OpenSSL that shows if it was built correctly to handle FIPS mode? Thanks in advance. This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. From: Steve Marquess To: openssl-users@openssl.org Cc: Jerry Blasdel/USA/CSC@CSC Date: 12/18/2012 09:21 AM Subject: Re: FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips On 12/18/2012 08:57 AM, Jerry Blasdel wrote: > Steve, > > That was a typing error. I verified that I am building: > > Extracting OpenSSL Fips source... > openssl-fips-2.0.1/... > > Extracting OpenSSL source... > openssl-1.0.1c/ACKNOWLEDGMENTS... > > > What steps can I take to help identify the problem with my FIPS capable > built OpenSSL? Well, start at the beginning. Have you tried building the "FIPS capable" OpenSSL per section 4.2 and the examples in the User Guide? Also see the example at: http://opensslfoundation.com/fips/2.0/platforms/linux-native/Makefile which should work in any Linux or Linux-like system (just do "make"). -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com
Re: FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips
a -xarch=v8plus -xO5
-xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DOPENSSL_BN_ASM_MONT
-I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
-DAES_ASM -DGHASH_ASM -G -dy -z text -h $SHLIB$SHLIB_SOVER$SHLIB_SUFFIX
-Wl,-Bsymbolic"; \
fi; \
SHOBJECTS="libcrypto.a "; ( :;LIBDEPS="${LIBDEPS:--L. -lsocket -lnsl
-ldl}"; SHAREDCMD="${SHAREDCMD:-/usr/local/ssl/fips-2.0/bin/fipsld}";
SHAREDFLAGS="${SHAREDFLAGS:--KPIC -DOPENSSL_PIC -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xtarget=ultra -xarch=v8plus -xO5
-xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DOPENSSL_BN_ASM_MONT
-I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
-DAES_ASM -DGHASH_ASM -G -dy -z text}"; LIBPATH=`for x in $LIBDEPS; do
echo $x; done | sed -e 's/^ *-L//;t' -e d | uniq`; LIBPATH=`echo $LIBPATH
| sed -e 's/ /:/g'`; LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH
${SHAREDCMD} ${SHAREDFLAGS} -o $SHLIB$SHLIB_SOVER$SHLIB_SUFFIX
$ALLSYMSFLAGS $SHOBJECTS $NOALLSYMSFLAGS $LIBDEPS ) && if [ -n
"$INHIBIT_SYMLINKS" ]; then :; else prev=$SHLIB$SHLIB_SOVER$SHLIB_SUFFIX;
if [ -n "$SHLIB_COMPAT" ]; then for x in $SHLIB_COMPAT; do ( :; rm -f
$SHLIB$x$SHLIB_SUFFIX; ln -s $prev $SHLIB$x$SHLIB_SUFFIX );
prev=$SHLIB$x$SHLIB_SUFFIX; done; fi; if [ -n "$SHLIB_SOVER" ]; then (
:; rm -f $SHLIB$SHLIB_SUFFIX; ln -s $prev $SHLIB$SHLIB_SUFFIX ); fi; fi
make: Fatal error: Command failed for target `link_a.solaris’
Any help is greatly appreciated.
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery.
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to
any order or other contract unless pursuant to explicit written agreement
or government initiative expressly permitting the use of e-mail for such
purpose.
From: Steve Marquess
To: openssl-users@openssl.org
Cc: Jerry Blasdel/USA/CSC@CSC
Date: 12/18/2012 09:21 AM
Subject:Re: FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips
On 12/18/2012 08:57 AM, Jerry Blasdel wrote:
> Steve,
>
> That was a typing error. I verified that I am building:
>
> Extracting OpenSSL Fips source...
> openssl-fips-2.0.1/...
>
> Extracting OpenSSL source...
> openssl-1.0.1c/ACKNOWLEDGMENTS...
>
>
> What steps can I take to help identify the problem with my FIPS capable
> built OpenSSL?
Well, start at the beginning. Have you tried building the "FIPS capable"
OpenSSL per section 4.2 and the examples in the User Guide?
Also see the example at:
http://opensslfoundation.com/fips/2.0/platforms/linux-native/Makefile
which should work in any Linux or Linux-like system (just do "make").
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
Re: FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips
On 12/18/2012 08:57 AM, Jerry Blasdel wrote: > Steve, > > That was a typing error. I verified that I am building: > > Extracting OpenSSL Fips source... > openssl-fips-2.0.1/... > > Extracting OpenSSL source... > openssl-1.0.1c/ACKNOWLEDGMENTS... > > > What steps can I take to help identify the problem with my FIPS capable > built OpenSSL? Well, start at the beginning. Have you tried building the "FIPS capable" OpenSSL per section 4.2 and the examples in the User Guide? Also see the example at: http://opensslfoundation.com/fips/2.0/platforms/linux-native/Makefile which should work in any Linux or Linux-like system (just do "make"). -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips
Steve, That was a typing error. I verified that I am building: Extracting OpenSSL Fips source... openssl-fips-2.0.1/... Extracting OpenSSL source... openssl-1.0.1c/ACKNOWLEDGMENTS... What steps can I take to help identify the problem with my FIPS capable built OpenSSL? Thanks This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. From: Steve Marquess To: Jerry Blasdel/USA/CSC@CSC Cc: openssl-users@openssl.org Date: 12/17/2012 03:20 PM Subject:Re: FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips Sent by:owner-openssl-us...@openssl.org On 12/17/2012 04:15 PM, Jerry Blasdel wrote: > Steve, > > Thank you for your quick reply. We are trying to follow the User's > Guide when building. > > We did the following: > > For OpenSSLFips (openssl-fips-1.2) > > ./config > > make > make install > > For OpenSSL (openssl-1.0.1c) Ah. The 1.2 module is not compatible with OpenSSL 1.0.1c. You need to use the OpenSSL FIPS Object Module 2.0 as documented in the User Guide: http://www.openssl.org/docs/fips/UserGuide-2.0.pdf -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips
On 12/17/2012 04:15 PM, Jerry Blasdel wrote: > Steve, > > Thank you for your quick reply. We are trying to follow the User's > Guide when building. > > We did the following: > > For OpenSSLFips (openssl-fips-1.2) > > ./config > > make > make install > > For OpenSSL (openssl-1.0.1c) Ah. The 1.2 module is not compatible with OpenSSL 1.0.1c. You need to use the OpenSSL FIPS Object Module 2.0 as documented in the User Guide: http://www.openssl.org/docs/fips/UserGuide-2.0.pdf -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips
Steve, Thank you for your quick reply. We are trying to follow the User's Guide when building. We did the following: For OpenSSLFips (openssl-fips-1.2) ./config make make install For OpenSSL (openssl-1.0.1c) ./configure fips --prefix=/WWW/openssl --withfipslibdir=/usr/local/ssl/fips-2.0/lib make make test make install Is there anything that make test or other commands we could run on the built openSSL to see if it was built incorrectly? Thanks This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose. From: Steve Marquess To: openssl-users@openssl.org Cc: Jerry Blasdel/USA/CSC@CSC Date: 12/17/2012 02:59 PM Subject: Re: FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips On 12/17/2012 12:32 PM, Jerry Blasdel wrote: > All, > > We are trying to get a FIPS enabled Apache 2.4.3 built with OpenSSL 1.01. > > Everything appeared to build correctly but when we try to start Apache > with SSLFIPS on directive we get the following error: > > ... > Library Error: error:2D06B06F:FIPS > routines:FIPS_check_incore_fingerprint:fingerprint does not match > [Mon Dec 17 17:23:13.134150 2012] [ssl:emerg] [pid 10703:tid 1] AH02312: > Fatal error initialising mod_ssl, exiting. > /WWW/apache2/apache/logs > > What could be the cause of this error? There are a multitude of ways the special FIPS module link could fail. But, I suspect your problem probably has nothing to do with Apache httpd. Absent some very unusual circumstances any system that is running httpd should be using shared OpenSSL libraries, which means it is your "FIPS capable" OpenSSL that was not built correctly. Have you tried following the examples of building "FIPS capable" OpenSSL libraries in the User Guide? -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com
Re: FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips
On 12/17/2012 12:32 PM, Jerry Blasdel wrote: > All, > > We are trying to get a FIPS enabled Apache 2.4.3 built with OpenSSL 1.01. > > Everything appeared to build correctly but when we try to start Apache > with SSLFIPS on directive we get the following error: > > ... > Library Error: error:2D06B06F:FIPS > routines:FIPS_check_incore_fingerprint:fingerprint does not match > [Mon Dec 17 17:23:13.134150 2012] [ssl:emerg] [pid 10703:tid 1] AH02312: > Fatal error initialising mod_ssl, exiting. > /WWW/apache2/apache/logs > > What could be the cause of this error? There are a multitude of ways the special FIPS module link could fail. But, I suspect your problem probably has nothing to do with Apache httpd. Absent some very unusual circumstances any system that is running httpd should be using shared OpenSSL libraries, which means it is your "FIPS capable" OpenSSL that was not built correctly. Have you tried following the examples of building "FIPS capable" OpenSSL libraries in the User Guide? -Steve M. -- Steve Marquess OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877 673 6775 s/b +1 301 874 2571 direct marqu...@opensslfoundation.com marqu...@openssl.com __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips
All, We are trying to get a FIPS enabled Apache 2.4.3 built with OpenSSL 1.01. Everything appeared to build correctly but when we try to start Apache with SSLFIPS on directive we get the following error: [Mon Dec 17 17:22:15.355149 2012] [mpm_worker:notice] [pid 10612:tid 1] AH00292: Apache/2.4.3 (Unix) OpenSSL/1.0.1c-fips configured -- resuming normal operations [Mon Dec 17 17:22:15.355460 2012] [core:notice] [pid 10612:tid 1] AH00094: Command line: '/WWW/apache2/apache/bin/httpd -d /WWW/apache2/apache -f /WWW/apache2/apache/conf/httpd.conf' [Mon Dec 17 17:23:09.532595 2012] [mpm_worker:notice] [pid 10612:tid 1] AH00295: caught SIGTERM, shutting down [Mon Dec 17 17:23:13.133877 2012] [ssl:emerg] [pid 10703:tid 1] AH01885: FIPS mode failed [Mon Dec 17 17:23:13.134056 2012] [ssl:emerg] [pid 10703:tid 1] SSL Library Error: error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match [Mon Dec 17 17:23:13.134150 2012] [ssl:emerg] [pid 10703:tid 1] AH02312: Fatal error initialising mod_ssl, exiting. /WWW/apache2/apache/logs What could be the cause of this error? Thanks in advance. This is a PRIVATE message. If you are not the intended recipient, please delete without copying and kindly advise us by e-mail of the mistake in delivery. NOTE: Regardless of content, this e-mail shall not operate to bind CSC to any order or other contract unless pursuant to explicit written agreement or government initiative expressly permitting the use of e-mail for such purpose.
