V2.4.7 and Open SSL 1.o.1f (FIPS) build error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I built and installed OpenSSL 1.0.1f in the FIPS mode.

I configured httpd-2.4.7 successfully to use mod_ssl:

  ...
  --with-ssl=/usr/local/ssl/fips-2.0

and, during the build, it stops here:

/usr/local/src/httpd-2.4.7/support/ab.c:509: undefined reference to
`FIPS_rand_seed'
/usr/local/src/httpd-2.4.7/support/ab.c:516: undefined reference to
`FIPS_rand_seed'
/usr/local/src/httpd-2.4.7/support/ab.c:522: undefined reference to
`FIPS_rand_seed'

A msg on the openssl list says, quote:
> Second try...
>
> The FIPS_rand_set_key and FIPS_rand_seed functions in 0.9.8 appear to have
> been removed in newer OpenSSL FIPS Object Module v2.0.
>

Those functions relate to the old X9.31 PRNG which isn't the default any more
for the 2.0 module. The default is the SP800-90 DRBG.

> Are there replacements?  Or are they not needed anymore?  If an
> application is in FIPS mode (i.e. the OpenSSL FIPS Object Module is in FIPS
> mode), can the application fork without having to reset the FIPS rand state?
>

Yes fork protection is included in the 2.0 module. In fact it was also in the
1.2.x module, you only needed to worry about fork for the 1.1 module.

> I see an interface called FIPS_x931_set_key, but I want to use an RBG that
> is compliant with SP 800-90 - which I believe the OpenSSL FIPS Object Module
> v2.0 supports.
>

In FIPS mode the default RAND method uses the SP800-90 DRBG so you use it
automatically.

> When does one use the RAND_init_fips function?
>

You don't normally need to call that at all: it is handled automaticaly when
you enter FIPS mode.

Steve.
-- 
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

End quote.

The openssl message is at: http://tinyurl.com/k5eyssc

I will try to back off FIPS for now but I sure would like to use it.

I'll file a bug if it's appropriate.

Best regards,

-Tom


I get this error:

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux