Re: How to build Apache with FIPS mode capable?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Yann,

On 2/10/16 6:11 PM, Yann Ylavic wrote:
> Hi,
> 
> On Wed, Feb 10, 2016 at 11:14 PM, Christopher Schultz 
> <chris@xxxxxxxxxxxxxxxxxxxxxx> wrote:
>> 
>> To those down and dirty with httpd: is there a reason not to 
>> UNCONDITIONALLY build against OpenSSL's FIPS_mode_set? If the
>> library doesn't support FIPS mode, it will complain about it and
>> refuse to enter FIPS mode. The httpd code already handles this
>> in mobules/ssl/ssl_engine_init.c:
>> 
>>> #ifdef HAVE_FIPS if(sc->fips) { if (!FIPS_mode()) { if 
>>> (FIPS_mode_set(1)) { ap_log_error(APLOG_MARK, APLOG_NOTICE, 0,
>>> s, APLOGNO(01884) "Operating in SSL FIPS mode"); } else { 
>>> ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885)
>>> "FIPS mode failed"); ssl_log_ssl_error(SSLLOG_MARK,
>>> APLOG_EMERG, s); return ssl_die(s); } } } else {
>>> ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(01886) "SSL
>>> FIPS mode disabled"); } #endif
>> 
>> I don't see a compelling reason to have all the #ifdef HAVE_FIPS 
>> conditionals all over the place.
> 
> OPENSSL_FIPS is something defined by OpenSSL when FIPS has been
> ./config-ured. Apache httpd should be run against an OpenSSL
> version ABI-compatible with the one it was compiled with, whereas
> FIPS vs non-FIPS OpenSSLs are possibly not ABI-compatible...

That's the thing: I believe they *are* ABI-compatible, since OpenSSL
doesn't seem to conditionally-compile any of the declarations of its
functions... specifically FIPS_mode_set.

I haven't actually done any testing to confirm that they are
ABI-compatible, though.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla8wT4ACgkQ9CaO5/Lv0PB24QCbBRiNzR3lqUTURsXfUyJhng7a
zo8AoLKYueo8xTiH4JnTpmj0CTDRy7eG
=dhQl
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux