-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rich,
On 2/10/16 1:12 PM, cloud force wrote:
> I added the "SSLFIPS on" option to the httpd.conf as suggested in
> the ssl_mod doc, and I got the following error:
>
> * Starting web server apache2
>
>
> Syntax error on line 1 of /etc/apache2/httpd.conf:
>
> SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS
>
> Action 'start' failed.
>
> The Apache error log may have more information.
It looks like httpd *must* be built against a FIPS-capable library.
- From modules/ssl/ssl_engine_config.c:692:
> #ifdef HAVE_FIPS if ((sc->fips != UNSET) && (sc->fips !=
> (BOOL)(flag ? TRUE : FALSE))) return "Conflicting SSLFIPS options,
> cannot be both On and Off"; sc->fips = flag ? TRUE : FALSE; #else
> if (flag) return "SSLFIPS invalid, rebuild httpd and openssl
> compiled for FIPS"; #endif
>
> return NULL; }
So you think you really do have to re-build. But the only thing that
needs to be defined is OPENSSL_FIPS. From modules/ssl/ssl_private.h:126:
> #if defined(OPENSSL_FIPS) #define HAVE_FIPS #endif
So if you grab the source and simply do:
$ CFLAGS=-DOPENSSL_FIPS ./configure [other opts]
$ make
That ought to get you a FIPS-capable httpd.
To those down and dirty with httpd: is there a reason not to
UNCONDITIONALLY build against OpenSSL's FIPS_mode_set? If the library
doesn't support FIPS mode, it will complain about it and refuse to
enter FIPS mode. The httpd code already handles this in
mobules/ssl/ssl_engine_init.c:
> #ifdef HAVE_FIPS if(sc->fips) { if (!FIPS_mode()) { if
> (FIPS_mode_set(1)) { ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
> APLOGNO(01884) "Operating in SSL FIPS mode"); } else {
> ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS
> mode failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
> return ssl_die(s); } } } else { ap_log_error(APLOG_MARK,
> APLOG_DEBUG, 0, s, APLOGNO(01886) "SSL FIPS mode disabled"); }
> #endif
I don't see a compelling reason to have all the #ifdef HAVE_FIPS
conditionals all over the place.
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAla7tjQACgkQ9CaO5/Lv0PDtUgCfT9JC4pOt0WdZWe3XsFRtQgWa
f+AAmwQY+A5KmdTEzwR47/aEK3b/xchg
=WaCl
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
