Re: [users@httpd] How to build Apache with FIPS mode capable?

Wed, 10 Feb 2016 14:15:06 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rich,

On 2/10/16 1:12 PM, cloud force wrote:
> I added the "SSLFIPS on" option to the httpd.conf as suggested in
> the ssl_mod doc, and I got the following error:
> 
> * Starting web server apache2
> 
> 
> Syntax error on line 1 of /etc/apache2/httpd.conf:
> 
> SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS
> 
> Action 'start' failed.
> 
> The Apache error log may have more information.

It looks like httpd *must* be built against a FIPS-capable library.

- From modules/ssl/ssl_engine_config.c:692:

> #ifdef HAVE_FIPS if ((sc->fips != UNSET) && (sc->fips !=
> (BOOL)(flag ? TRUE : FALSE))) return "Conflicting SSLFIPS options,
> cannot be both On and Off"; sc->fips = flag ? TRUE : FALSE; #else 
> if (flag) return "SSLFIPS invalid, rebuild httpd and openssl
> compiled for FIPS"; #endif
> 
> return NULL; }

So you think you really do have to re-build. But the only thing that
needs to be defined is OPENSSL_FIPS. From modules/ssl/ssl_private.h:126:

> #if defined(OPENSSL_FIPS) #define HAVE_FIPS #endif

So if you grab the source and simply do:

$ CFLAGS=-DOPENSSL_FIPS ./configure [other opts]
$ make

That ought to get you a FIPS-capable httpd.

To those down and dirty with httpd: is there a reason not to
UNCONDITIONALLY build against OpenSSL's FIPS_mode_set? If the library
doesn't support FIPS mode, it will complain about it and refuse to
enter FIPS mode. The httpd code already handles this in
mobules/ssl/ssl_engine_init.c:

> #ifdef HAVE_FIPS if(sc->fips) { if (!FIPS_mode()) { if
> (FIPS_mode_set(1)) { ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
> APLOGNO(01884) "Operating in SSL FIPS mode"); } else { 
> ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS
> mode failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); 
> return ssl_die(s); } } } else { ap_log_error(APLOG_MARK,
> APLOG_DEBUG, 0, s, APLOGNO(01886) "SSL FIPS mode disabled"); } 
> #endif

I don't see a compelling reason to have all the #ifdef HAVE_FIPS
conditionals all over the place.

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla7tjQACgkQ9CaO5/Lv0PDtUgCfT9JC4pOt0WdZWe3XsFRtQgWa
f+AAmwQY+A5KmdTEzwR47/aEK3b/xchg
=WaCl
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to