httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Browder <tom.brow...@gmail.com>
Subject [users@httpd] V2.4.7 and Open SSL 1.o.1f (FIPS) build error
Date Mon, 17 Feb 2014 23:33:13 GMT
I built and installed OpenSSL 1.0.1f in the FIPS mode.

I configured httpd-2.4.7 successfully to use mod_ssl:

  ...
  --with-ssl=/usr/local/ssl/fips-2.0

and, during the build, it stops here:

/usr/local/src/httpd-2.4.7/support/ab.c:509: undefined reference to
`FIPS_rand_seed'
/usr/local/src/httpd-2.4.7/support/ab.c:516: undefined reference to
`FIPS_rand_seed'
/usr/local/src/httpd-2.4.7/support/ab.c:522: undefined reference to
`FIPS_rand_seed'

A msg on the openssl list says, quote:
> Second try...
>
> The FIPS_rand_set_key and FIPS_rand_seed functions in 0.9.8 appear to have
> been removed in newer OpenSSL FIPS Object Module v2.0.
>

Those functions relate to the old X9.31 PRNG which isn't the default any more
for the 2.0 module. The default is the SP800-90 DRBG.

> Are there replacements?  Or are they not needed anymore?  If an
> application is in FIPS mode (i.e. the OpenSSL FIPS Object Module is in FIPS
> mode), can the application fork without having to reset the FIPS rand state?
>

Yes fork protection is included in the 2.0 module. In fact it was also in the
1.2.x module, you only needed to worry about fork for the 1.1 module.

> I see an interface called FIPS_x931_set_key, but I want to use an RBG that
> is compliant with SP 800-90 - which I believe the OpenSSL FIPS Object Module
> v2.0 supports.
>

In FIPS mode the default RAND method uses the SP800-90 DRBG so you use it
automatically.

> When does one use the RAND_init_fips function?
>

You don't normally need to call that at all: it is handled automaticaly when
you enter FIPS mode.

Steve.
-- 
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org

End quote.

The openssl message is at: http://tinyurl.com/k5eyssc

I will try to back off FIPS for now but I sure would like to use it.

I'll file a bug if it's appropriate.

Best regards,

-Tom


I get this error:

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message