Re: How to build Apache with FIPS mode capable?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Chris,

On Wed, Feb 10, 2016 at 9:50 AM, Christopher Schultz <chris@xxxxxxxxxxxxxxxxxxxxxx> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rich,

On 2/10/16 11:24 AM, cloud force wrote:
> Hi Chris,
>
> Please see my comments below.
>
> Thanks, Rich
>
> On Wed, Feb 10, 2016 at 7:20 AM, Christopher Schultz
> <chris@xxxxxxxxxxxxxxxxxxxxxx
> <mailto:chris@xxxxxxxxxxxxxxxxxxxxxx>> wrote:
>
> Rich,
>
> On 2/9/16 6:21 PM, cloud force wrote:
>> On Tue, Feb 9, 2016 at 2:59 PM, Christopher Schultz
>> <chris@xxxxxxxxxxxxxxxxxxxxxx
>> <mailto:chris@xxxxxxxxxxxxxxxxxxxxxx>
>> <mailto:chris@xxxxxxxxxxxxxxxxxxxxxx
>> <mailto:chris@xxxxxxxxxxxxxxxxxxxxxx>>>
> wrote:
>
>> Rich,
>
>> On 2/9/16 4:09 PM, cloud force wrote:
>>> Yes I do have* *some regulatory requirement to use FIPS and I
>>> have built the FIPS capable OpenSSL lib.
>
>> Where is that library located on the disk?
>
>>> [Rich] The new libcrypto.so located in the same directory
>>> /lib/x86_64-linux-gnu/
>
>
>
>>> I tried to add the "SSLFIPS on" parameter to the httpd.conf
>>> config file as suggested in the ssl_mod manual page, but the
>>> httpd failed to start with errors which seemed to due to the
>>> fact that my apache server was not compiled against an SSL
>>> library which support the FIPS_mode flag.
>
>> Maybe you are getting the system-provided OpenSSL library and
>> not the one you custom-built.
>
>>> I need helps with guidance of how to compile apache server
>>> with FIPS capable OpenSSL lib so that the Apache server can be
>>> operating under the OpenSSL FIPS mode.
>
>> Recompiling httpd is never needed to switch-out a shared
>> library. You just need to fix the way the OS loads things.
>
>>> [Rich] How do I do that?
>
> That depends upon the answers to your various questions.
>
>> What OS? What version of that OS? Architecture, etc.?
>
>>> [Rich] Ubuntu Linux 64 bit (version 12.04)
>
>
>> How did you install httpd?
>
>>> [Rich] Httpd is packaged by Ubuntu as a package called
>>> apache2, and I installed the apache2 package.
>
> Good. Keep that package as it is.
>
>> How did you install OpenSSL (originally)?
>
>>> [Rich] OpenSSL is also packaged by Ubuntu as a package. I
>>> installed the original Ubuntu openssl package.
>
> Okay. And that package is still installed and not broken?
>
>> Did you build the FIPS-capable OpenSSL library yourself or did
>> you get it from some other source?
>
>>> [Rich] I downloaded the FIPS modules source and built it with
>>> the stock openssl library, and then installed the newly rebuild
>>> FIPS capable openssl library. I was able to verify by using the
>>> FIPS capable openssl lib, running the openssl command to
>>> generate a MD5 checksum failed due to it's an non-approved FIPS
>>> algorithm.
>
> Okay, good. IIRC, the "openssl" CLI is statically-linked so that
> will always work as long as you use the full path to the
> FIPS-capable openssl binary. Getting another program to load using
> the FIPS-capable library takes a bit of work.
>
>> Where is the FIPS-capable OpenSSL library on the disk?
>
>>> [Rich] The .so files are mostly under the directory
>>> /lib/x86_64-linux-gnu/
>
> Isn't that where the Ubuntu-packages libraries are as well?
>
>> [Rich] Yes, basically my newly built FIPS capable OpenSSL lib
>> files replaced the original Ubuntu installed ones.
>
>
>
> What does this command show?
>
> $ dpkg -L libssl1.0.0
>
> (This will still work if you have OpenSSL 1.0.1.)
>
> Where *exactly* are the FIPS-capable libraries you built? There
> should be several .so files produced by the build. What are they
> and where did you put them?
>
>> How do you launch httpd?
>
>>> [Rich] Ubuntu uses upstart script to launch service like httpd.
>>> I just ran the upstart script (service apache2 start) to start
>>> the httpd.
>
> Ultimately, this is going to involve you adjusting the
> LD_LIBRARY_PATH environment variable to point to the place where
> your FIPS-capable OpenSSL libraries are. But if you put them into
> the existing library search path, you may have broken both your
> original OpenSSL installation, plus the FIPS-capable libraries as
> well.
>
>> [Rich] My understanding is, if I replace the Ubuntu installed
>> OpenSSL lib files with the FIPS capable version built by myself,
>> as long as the application which uses openssl (e.g. Apache
>> server) doesn't explicitly invoke FIPS_mode_set() API to enable
>> FIPS mode, they will work pretty much the same as there 's no
>> FIPS.

Agreed.

>> From the ssl_mod's doc it looks like I need to recomplile with
>> some different option so that it will allow Apache to invoke
>> FIPS_mode_set API, as I did find the FIPS_mode_set API got
>> invoked somewhere in the stock httpd source code. Is my
>> understanding correct?

I might need some help from the httpd gurus here. If httpd has #ifdefs
that require that the compile-time library be FIPS-capable in order to
build against it, then httpd will in fact have to be rebuilt.

OpenSSL itself does not conditionally-compile or conditionally-declare
the FIPS_mode_set(int) function call, so building against a
non-FIPS-capable library (the set of header files, really) should
still allow you to call FIPS_mode_set at runtime.

What exact error message did you get when trying to start httpd with
FIPSMode On? You never actually posted that.
I added the "SSLFIPS on" option to the httpd.conf as suggested in the ssl_mod doc, and I got the following error:

 * Starting web server apache2                                                                                                                                Syntax error on line 1 of /etc/apache2/httpd.conf:

SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS

Action 'start' failed.

The Apache error log may have more information.

 




> It would be best to keep the FIPS-capable libraries somewhere out
> of the way where you won't confuse them with the package-installed
> ones.

Note that by replacing the package-manager-supplied libraries, you'll
end up breaking everything whenever a security patch for OpenSSL is
provided by your package manager.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla7eFEACgkQ9CaO5/Lv0PBWkgCdEAAV6hySl/ambxzad/n9lWh1
XbcAn1hwQp0p5BKjTPoWyxTcydFSYvLV
=gu7X
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux