./config autodetects the platform and such, passing various parameters to Configure. So, after you've built the canister, you can do as you want. So, to do this, figure out from ./config what parameters it passes to Configure in the presence of the 'fips' argument, then modify the command line the packaging script invokes accordingly. -Kyle H On 2/10/2016 12:47 PM, cloud force wrote: > Thanks Kyle. > > Yes, for building FIPS canister I did exactly the same thing as it > mentioned in the security policy doc. > > My questions above were mainly regarding building the OpenSSL library > itself with the fipscanister.o modules. > > In the doc it said we should just do "/*config fips*/", and since the > Ubuntu OpenSSL packaging script does not run /*config*/ script and it > run /*Configure*/ script instead, I was wondering should I still run > "./config tips" before run the Configure script, or should I just run > "Configure fips" instead? > > Thanks, > Rich > > On Wed, Feb 10, 2016 at 12:37 PM, Kyle Hamilton <aerowolf at gmail.com > <mailto:aerowolf at gmail.com>> wrote: > > My understanding is, you must follow the steps given in the > Security Guide *exactly*, with no deviation, in order to produce a > validated binary of the FIPS canister. In other words, you *must > not* try to use Configure when attempting to build the FIPS > canister because it does not match the steps given in the Security > Guide. > > Once you have the FIPS canister, you can build a version of > OpenSSL that uses it pretty much indiscriminately (as long as you > ensure that all the things that fipsld does actually happen when > it comes time to link). > > (I apologize if my knowledge is out of date, I haven't been > following the FIPS development for a couple of years.) > > -Kyle H > > > On 2/10/2016 12:23 PM, cloud force wrote: >> Hi Everyone, >> >> I am trying to build FIPS capable OpenSSL as an Ubuntu 12.04 package. >> >> From the OpenSSL doc it mentioned we need to do ./config fips in >> order to build openssl under tips mode. I tried that and it >> worked well. >> >> Now I am building the OpenSSL FIPS as a Ubuntu package. I noticed >> the package manager meta script use the Configure (instead of >> config script) under the openssl source folder. >> >> I was wondering should I also do "Configure fips", if I use the >> Configure script to configure the source tree? What's the >> relationship between config and Configure scripts? >> >> Or should I just run ./config fips first and then let the package >> manager script to run Configure? >> >> Thanks. >> Rich >> >> >> > > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160210/768e6294/attachment.html>
