Thanks Jakob for the detailed info. On Thu, Feb 11, 2016 at 7:50 AM, Jakob Bohm <jb-openssl at wisemo.com> wrote: > On 10/02/2016 22:46, cloud force wrote: > >> Hi Everyone, >> >> I installed the FIPS capable openssl library (which was built by myself) >> on my Ubuntu linux box. >> >> For some reason, I keep running into the following errors whenever I run >> ssh related command: >> >> >> ssh: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version >> information available (required by ssh) >> >> >> The same error happens when I ran openssl command such as the following: >> >> linux-fips at ubuntu:/usr/local/ssl/lib$ openssl ciphers -v | wc -l >> openssl: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version information >> available (required by openssl) >> openssl: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version information >> available (required by openssl) >> openssl: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version information >> available (required by /lib/x86_64-linux-gnu/libssl.so.1.0.0) >> openssl: /lib/x86_64-linux-gnu/libcrypto.so.1.0.0: no version information >> available (required by /lib/x86_64-linux-gnu/libssl.so.1.0.0) >> >> The Debian-family (includes Ubuntu) standard OpenSSL shared > libraries is built in a special way to include "version tags" > in the resulting .so files, and all the openssl-needing > binaries in Debian/Ubuntu/etc. produce the error message > above if you install copies of those libraries without those > extra "version tags". > > There are two alternative ways to solve this: > > A) Build your FIPS-cabable OpenSSL (not the FIPScanister) > with all the extra steps and patches in the Ubuntu OpenSSL > source package (.dsc etc.), just adding the FIPS canister. > Note that some of the patches in the source package are > backports of the security fixes included in the latest > OpenSSL versions, you'll probably have to figure out the > details yourself (unless Kurt Roeckz posts a recipe > somewhere). > > B) Patch your FIPS-capable OpenSSL makefile (not the > FIPScanister makefile) to use a different .so-version, such > as .so.1.0.2 . Then your private openssl build will not be > used by the prepackaged software while software explicitly > compiled against your locally build OpenSSL will not > accidentally pick up the standard non-FIPS OpenSSL. > > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- Thanks, Rich -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160212/8c4d1ad3/attachment.html>
