I’m trying to build httpd 2.4.54 against OpenSSL 3.0.5 compiled for FIPS. I’ve followed the OpenSSL and httpd build docs, but when I turn on the SSLFIPS directive in my config, I still get an error message saying “SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS”. A Google search turns up plenty of results for compiling older OpenSSL versions for FIPS, but nothing for OpenSSL 3 and the new FIPS module.
I’ve put together a Docker container with my attempt at a FIPS build: https://github.com/SmithJosh/httpd-openssl3-fips/blob/main/Dockerfile A couple notes: 1. I ran “./Configure enable-fips” before building OpenSSL and added the following to /usr/local/ssl/openssl.cnf after building to enable FIPS mode ``` config_diagnostics = 1 openssl_conf = openssl_init .include /usr/local/ssl/fipsmodule.cnf [openssl_init] providers = provider_sect [provider_sect] fips = fips_sect base = base_sect [base_sect] activate = 1 ``` 2. Running “openssl md5 <<< ‘12345’” returns the following error which I believe indicates I’ve enabled FIPS mode correctly ``` # openssl md5 <<< "12345" Error setting digest 80327F263C7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (MD5 : 102), Properties () 80327F263C7F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:252: ``` With that in mind, I’m confused why Apache still complains about not being compiled for FIPS. What am I missing? Thanks, Josh
