Apache 2.2.24 doesnt come up with FIPS capable openssl 1.0.1c

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Apache 2.2.24 doesnt come up with FIPS capable openssl 1.0.1c

Cipher
Hi All,

I installed openssl 1.0.1c with FIPS and it works fine.

export OPENSSL_FIPS=1

[root@PC ~]# openssl SHA1 incore
SHA1(incore)= b5acba7f6333aafdfe9804d2aebe373c39024bc3
[root@PC ~]# openssl md5 incore
Error setting digest md5
139723413960360:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:

Also, ciphers option shows fewer ciphers.

I compiled HTTPD 2.2.24 against this openssl. But HTTPD is not coming up with SSLFIPS on throwing following errors.

[Mon Apr 01 19:07:46 2013] [emerg] FIPS mode failed
[Mon Apr 01 19:07:46 2013] [emerg] SSL Library Error: 755413103 error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match

Here is the detail of build procedure i followed for httpd.

1)Set Env Variables
        export INCLUDES="-I/software/common/mod_ssl/mod_ssl-2.8.30-1.3.39/pkg.sslmod"
        LIBS=-ldl
        export CPPFLAGS="-I/software/common/openssl/openssl-1.0.1c/include/openssl"
        export LD_LIBRARY_PATH="/software/common/openssl/openssl-1.0.1c/"

2)  ./configure  --with-ssl=/software/common/openssl/openssl-1.0.1c --enable-so --enable-ssl --enable-shared=ssl

3) make

Which resulted in  libmod_ssl.a lib and httpd binary.

Symbols in lib and binary are,

[root@PC .libs]# nm -n -f 'sysv' libmod_ssl.a |  grep FIPS
ssl_cmd_SSLFIPS     |                |   U  |            NOTYPE|                |     |*UND*
ssl_cmd_SSLFIPS     |0000000000001130|  T  |              FUNC|000000000000006d|     |.text
FIPS_mode             |                |   U  |            NOTYPE|                |     |*UND*
FIPS_mode_set       |                |   U  |            NOTYPE|                |     |*UND*

[root@PC httpd-2.2.24]# nm -n -f 'sysv' httpd |  grep FIPS|grep .rodata
FIPS_rodata_start   |000000000062ecc0|   R  |            OBJECT|0000000000000010|     |.rodata
FIPS_hmac_key       |000000000062ecd0|   r  |            OBJECT|0000000000000011|     |.rodata
FIPS_bn_version     |000000000062eda0|   R  |            OBJECT|0000000000000036|     |.rodata
FIPS_rodata_end     |000000000063a040|   R  |            OBJECT|0000000000000010|     |.rodata

Can someone help me with this?

Thanks,
Cipher
Reply | Threaded
Open this post in threaded view
|

Re: Apache 2.2.24 doesnt come up with FIPS capable openssl 1.0.1c

ken@bitzermobile.com
You have to statically link the openssl dynamic libraries
Reply | Threaded
Open this post in threaded view
|

Re: Apache 2.2.24 doesnt come up with FIPS capable openssl 1.0.1c

Cipher
ken@bitzermobile.com wrote
You have to statically link the openssl dynamic libraries
 How to Statistically link the dynamic libraries? what configuration and make commands i should follow? Iam a new newbie on this.. any help is highly appreciated.