[Apologies for top-posting, and I've never used FIPS...] Ubuntu 12.04 uses apache 2.2; the "out of the box" ssl.conf has the lines: # enable only secure protocols: SSLv3 and TLSv1, but not SSLv2 SSLProtocol all -SSLv2 and [if I'm reading www.openssl.org correctly] FIPS is "v2"... Best -- Paul At 08:24 AM 2/10/2016 -0800, cloud force wrote:
Hi Chris, Please see my comments below. Thanks, RichOn Wed, Feb 10, 2016 at 7:20 AM, Christopher Schultz <<mailto:chris@xxxxxxxxxxxxxxxxxxxxxx>chris@xxxxxxxxxxxxxxxxxxxxxx> wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rich, On 2/9/16 6:21 PM, cloud force wrote: > On Tue, Feb 9, 2016 at 2:59 PM, Christopher Schultz > <<mailto:chris@xxxxxxxxxxxxxxxxxxxxxx>chris@xxxxxxxxxxxxxxxxxxxxxx > <mailto:chris@xxxxxxxxxxxxxxxxxxxxxx>> wrote: > > Rich, > > On 2/9/16 4:09 PM, cloud force wrote: >> Yes I do have* *some regulatory requirement to use FIPS and I >> have built the FIPS capable OpenSSL lib. > > Where is that library located on the disk? > >> [Rich] The new libcrypto.so located in the same directory >> /lib/x86_64-linux-gnu/ > > > >> I tried to add the "SSLFIPS on" parameter to the httpd.conf >> config file as suggested in the ssl_mod manual page, but the >> httpd failed to start with errors which seemed to due to the fact >> that my apache server was not compiled against an SSL library >> which support the FIPS_mode flag. > > Maybe you are getting the system-provided OpenSSL library and not > the one you custom-built. > >> I need helps with guidance of how to compile apache server with >> FIPS capable OpenSSL lib so that the Apache server can be >> operating under the OpenSSL FIPS mode. > > Recompiling httpd is never needed to switch-out a shared library. > You just need to fix the way the OS loads things. > >> [Rich] How do I do that? That depends upon the answers to your various questions. > What OS? What version of that OS? Architecture, etc.? > >> [Rich] Ubuntu Linux 64 bit (version 12.04) > > > How did you install httpd? > >> [Rich] Httpd is packaged by Ubuntu as a package called apache2, >> and I installed the apache2 package. Good. Keep that package as it is. > How did you install OpenSSL (originally)? > >> [Rich] OpenSSL is also packaged by Ubuntu as a package. I >> installed the original Ubuntu openssl package. Okay. And that package is still installed and not broken? > Did you build the FIPS-capable OpenSSL library yourself or did you > get it from some other source? > >> [Rich] I downloaded the FIPS modules source and built it with the >> stock openssl library, and then installed the newly rebuild FIPS >> capable openssl library. I was able to verify by using the FIPS >> capable openssl lib, running the openssl command to generate a >> MD5 checksum failed due to it's an non-approved FIPS algorithm. Okay, good. IIRC, the "openssl" CLI is statically-linked so that will always work as long as you use the full path to the FIPS-capable openssl binary. Getting another program to load using the FIPS-capable library takes a bit of work. > Where is the FIPS-capable OpenSSL library on the disk? > >> [Rich] The .so files are mostly under the directory >> /lib/x86_64-linux-gnu/ Isn't that where the Ubuntu-packages libraries are as well?[Rich] Yes, basically my newly built FIPS capable OpenSSL lib files replaced the original Ubuntu installed ones. What does this command show? $ dpkg -L libssl1.0.0 (This will still work if you have OpenSSL 1.0.1.) Where *exactly* are the FIPS-capable libraries you built? There should be several .so files produced by the build. What are they and where did you put them? > How do you launch httpd? > >> [Rich] Ubuntu uses upstart script to launch service like httpd. I >> just ran the upstart script (service apache2 start) to start the >> httpd. Ultimately, this is going to involve you adjusting the LD_LIBRARY_PATH environment variable to point to the place where your FIPS-capable OpenSSL libraries are. But if you put them into the existing library search path, you may have broken both your original OpenSSL installation, plus the FIPS-capable libraries as well.[Rich] My understanding is, if I replace the Ubuntu installed OpenSSL lib files with the FIPS capable version built by myself, as long as the application which uses openssl (e.g. Apache server) doesn't explicitly invoke FIPS_mode_set() API to enable FIPS mode, they will work pretty much the same as there 's no FIPS. From the ssl_mod's doc it looks like I need to recomplile with some different option so that it will allow Apache to invoke FIPS_mode_set API, as I did find the FIPS_mode_set API got invoked somewhere in the stock httpd source code. Is my understanding correct?It would be best to keep the FIPS-capable libraries somewhere out of the way where you won't confuse them with the package-installed ones. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - <http://gpgtools.org>http://gpgtools.orgComment: Using GnuPG with Thunderbird - <http://www.enigmail.net/>http://www.enigmail.net/iEYEARECAAYFAla7VSQACgkQ9CaO5/Lv0PDqQACbBdzt3ek8ywxxUFgjhb8YXhf7 1gAAnRRHqsNIEuOmd6OFjewx3M7UWZsa =JqxL -----END PGP SIGNATURE----- ---------------------------------------------------------------------To unsubscribe, e-mail: <mailto:users-unsubscribe@xxxxxxxxxxxxxxxx>users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: <mailto:users-help@xxxxxxxxxxxxxxxx>users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|