Re: [users@httpd] Apache with OpenSSL 3 compiled for FIPS - SSLFIPS invalid
That was it. Thanks Yann! Josh From: Yann Ylavic Date: Friday, October 21, 2022 at 5:26 AM To: users@httpd.apache.org Subject: Re: [users@httpd] Apache with OpenSSL 3 compiled for FIPS - SSLFIPS invalid On Fri, Oct 21, 2022 at 2:07 AM Joshua Smith wrote: > > With that in mind, I’m confused why Apache still complains about not being > compiled for FIPS. What am I missing? Possibly this change (which was overlooked for httpd-2.4.54 release): https://github.com/apache/httpd/commit/8b800c1457aee40d871e07470c1a962bf3e25de3 Patching 2.4.54 with https://github.com/apache/httpd/commit/8b800c1457aee40d871e07470c1a962bf3e25de3.patch should work. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Apache with OpenSSL 3 compiled for FIPS - SSLFIPS invalid
On Fri, Oct 21, 2022 at 2:07 AM Joshua Smith wrote: > > With that in mind, I’m confused why Apache still complains about not being > compiled for FIPS. What am I missing? Possibly this change (which was overlooked for httpd-2.4.54 release): https://github.com/apache/httpd/commit/8b800c1457aee40d871e07470c1a962bf3e25de3 Patching 2.4.54 with https://github.com/apache/httpd/commit/8b800c1457aee40d871e07470c1a962bf3e25de3.patch should work. Regards; Yann. - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] Apache with OpenSSL 3 compiled for FIPS - SSLFIPS invalid
I’m trying to build httpd 2.4.54 against OpenSSL 3.0.5 compiled for FIPS. I’ve followed the OpenSSL and httpd build docs, but when I turn on the SSLFIPS directive in my config, I still get an error message saying “SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS”. A Google search turns up plenty of results for compiling older OpenSSL versions for FIPS, but nothing for OpenSSL 3 and the new FIPS module. I’ve put together a Docker container with my attempt at a FIPS build: https://github.com/SmithJosh/httpd-openssl3-fips/blob/main/Dockerfile A couple notes: 1. I ran “./Configure enable-fips” before building OpenSSL and added the following to /usr/local/ssl/openssl.cnf after building to enable FIPS mode ``` config_diagnostics = 1 openssl_conf = openssl_init .include /usr/local/ssl/fipsmodule.cnf [openssl_init] providers = provider_sect [provider_sect] fips = fips_sect base = base_sect [base_sect] activate = 1 ``` 2. Running “openssl md5 <<< ‘12345’” returns the following error which I believe indicates I’ve enabled FIPS mode correctly ``` # openssl md5 <<< "12345" Error setting digest 80327F263C7F:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (MD5 : 102), Properties () 80327F263C7F:error:0386:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:252: ``` With that in mind, I’m confused why Apache still complains about not being compiled for FIPS. What am I missing? Thanks, Josh