-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rich, On 2/10/16 11:24 AM, cloud force wrote: > Hi Chris, > > Please see my comments below. > > Thanks, Rich > > On Wed, Feb 10, 2016 at 7:20 AM, Christopher Schultz > <chris@xxxxxxxxxxxxxxxxxxxxxx > <mailto:chris@xxxxxxxxxxxxxxxxxxxxxx>> wrote: > > Rich, > > On 2/9/16 6:21 PM, cloud force wrote: >> On Tue, Feb 9, 2016 at 2:59 PM, Christopher Schultz >> <chris@xxxxxxxxxxxxxxxxxxxxxx >> <mailto:chris@xxxxxxxxxxxxxxxxxxxxxx> >> <mailto:chris@xxxxxxxxxxxxxxxxxxxxxx >> <mailto:chris@xxxxxxxxxxxxxxxxxxxxxx>>> > wrote: > >> Rich, > >> On 2/9/16 4:09 PM, cloud force wrote: >>> Yes I do have* *some regulatory requirement to use FIPS and I >>> have built the FIPS capable OpenSSL lib. > >> Where is that library located on the disk? > >>> [Rich] The new libcrypto.so located in the same directory >>> /lib/x86_64-linux-gnu/ > > > >>> I tried to add the "SSLFIPS on" parameter to the httpd.conf >>> config file as suggested in the ssl_mod manual page, but the >>> httpd failed to start with errors which seemed to due to the >>> fact that my apache server was not compiled against an SSL >>> library which support the FIPS_mode flag. > >> Maybe you are getting the system-provided OpenSSL library and >> not the one you custom-built. > >>> I need helps with guidance of how to compile apache server >>> with FIPS capable OpenSSL lib so that the Apache server can be >>> operating under the OpenSSL FIPS mode. > >> Recompiling httpd is never needed to switch-out a shared >> library. You just need to fix the way the OS loads things. > >>> [Rich] How do I do that? > > That depends upon the answers to your various questions. > >> What OS? What version of that OS? Architecture, etc.? > >>> [Rich] Ubuntu Linux 64 bit (version 12.04) > > >> How did you install httpd? > >>> [Rich] Httpd is packaged by Ubuntu as a package called >>> apache2, and I installed the apache2 package. > > Good. Keep that package as it is. > >> How did you install OpenSSL (originally)? > >>> [Rich] OpenSSL is also packaged by Ubuntu as a package. I >>> installed the original Ubuntu openssl package. > > Okay. And that package is still installed and not broken? > >> Did you build the FIPS-capable OpenSSL library yourself or did >> you get it from some other source? > >>> [Rich] I downloaded the FIPS modules source and built it with >>> the stock openssl library, and then installed the newly rebuild >>> FIPS capable openssl library. I was able to verify by using the >>> FIPS capable openssl lib, running the openssl command to >>> generate a MD5 checksum failed due to it's an non-approved FIPS >>> algorithm. > > Okay, good. IIRC, the "openssl" CLI is statically-linked so that > will always work as long as you use the full path to the > FIPS-capable openssl binary. Getting another program to load using > the FIPS-capable library takes a bit of work. > >> Where is the FIPS-capable OpenSSL library on the disk? > >>> [Rich] The .so files are mostly under the directory >>> /lib/x86_64-linux-gnu/ > > Isn't that where the Ubuntu-packages libraries are as well? > >> [Rich] Yes, basically my newly built FIPS capable OpenSSL lib >> files replaced the original Ubuntu installed ones. > > > > What does this command show? > > $ dpkg -L libssl1.0.0 > > (This will still work if you have OpenSSL 1.0.1.) > > Where *exactly* are the FIPS-capable libraries you built? There > should be several .so files produced by the build. What are they > and where did you put them? > >> How do you launch httpd? > >>> [Rich] Ubuntu uses upstart script to launch service like httpd. >>> I just ran the upstart script (service apache2 start) to start >>> the httpd. > > Ultimately, this is going to involve you adjusting the > LD_LIBRARY_PATH environment variable to point to the place where > your FIPS-capable OpenSSL libraries are. But if you put them into > the existing library search path, you may have broken both your > original OpenSSL installation, plus the FIPS-capable libraries as > well. > >> [Rich] My understanding is, if I replace the Ubuntu installed >> OpenSSL lib files with the FIPS capable version built by myself, >> as long as the application which uses openssl (e.g. Apache >> server) doesn't explicitly invoke FIPS_mode_set() API to enable >> FIPS mode, they will work pretty much the same as there 's no >> FIPS. Agreed. >> From the ssl_mod's doc it looks like I need to recomplile with >> some different option so that it will allow Apache to invoke >> FIPS_mode_set API, as I did find the FIPS_mode_set API got >> invoked somewhere in the stock httpd source code. Is my >> understanding correct? I might need some help from the httpd gurus here. If httpd has #ifdefs that require that the compile-time library be FIPS-capable in order to build against it, then httpd will in fact have to be rebuilt. OpenSSL itself does not conditionally-compile or conditionally-declare the FIPS_mode_set(int) function call, so building against a non-FIPS-capable library (the set of header files, really) should still allow you to call FIPS_mode_set at runtime. What exact error message did you get when trying to start httpd with FIPSMode On? You never actually posted that. > It would be best to keep the FIPS-capable libraries somewhere out > of the way where you won't confuse them with the package-installed > ones. Note that by replacing the package-manager-supplied libraries, you'll end up breaking everything whenever a security patch for OpenSSL is provided by your package manager. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAla7eFEACgkQ9CaO5/Lv0PBWkgCdEAAV6hySl/ambxzad/n9lWh1 XbcAn1hwQp0p5BKjTPoWyxTcydFSYvLV =gu7X -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|