Re: How to build Apache with FIPS mode capable?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Chris,

Please see my comments below inline.

Thanks,
Rich

On Tue, Feb 9, 2016 at 2:59 PM, Christopher Schultz <chris@xxxxxxxxxxxxxxxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rich,

On 2/9/16 4:09 PM, cloud force wrote:
> Yes I do have* *some regulatory requirement to use FIPS and I have
> built the FIPS capable OpenSSL lib.

Where is that library located on the disk?
 [Rich] The new libcrypto.so located in the same directory /lib/x86_64-linux-gnu/
 

> I tried to add the "SSLFIPS on" parameter to the httpd.conf config
> file as suggested in the ssl_mod manual page, but the httpd failed
> to start with errors which seemed to due to the fact that my apache
> server was not compiled against an SSL library which support the
> FIPS_mode flag.

Maybe you are getting the system-provided OpenSSL library and not the
one you custom-built.

> I need helps with guidance of how to compile apache server with
> FIPS capable OpenSSL lib so that the Apache server can be operating
> under the OpenSSL FIPS mode.

Recompiling httpd is never needed to switch-out a shared library. You
just need to fix the way the OS loads things.
[Rich] How do I do that? 

What OS? What version of that OS? Architecture, etc.?
[Rich] Ubuntu Linux 64 bit (version 12.04) 
 
How did you install httpd?
[Rich] Httpd is packaged by Ubuntu as a package called apache2, and I installed the apache2 package.
 
How did you install OpenSSL (originally)?
[Rich] OpenSSL is also packaged by Ubuntu as a package. I installed the original Ubuntu openssl package.
 
Did you build the FIPS-capable OpenSSL library yourself or did you get
it from some other source?
[Rich] I downloaded the FIPS modules source and built it with the stock openssl library, and then installed the newly rebuild FIPS capable openssl library. I was able to verify by using the FIPS capable openssl lib, running the openssl command to generate a MD5 checksum failed due to it's an non-approved FIPS algorithm.
 
 
Where is the FIPS-capable OpenSSL library on the disk?
[Rich] The .so files are mostly under the directory  /lib/x86_64-linux-gnu/
 
How do you launch httpd?
[Rich] Ubuntu uses upstart script to launch service like httpd. I just ran the upstart script (service apache2 start) to start the httpd.
 

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla6b0oACgkQ9CaO5/Lv0PD3wACfWaxX8PA8dhUajcJiHoar12ck
1NoAniETHeQizkhiRLtie+M2RCxuKFAz
=HJr7
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux