httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stormy <storm...@stormy.ca>
Subject Re: [users@httpd] How to build Apache with FIPS mode capable?
Date Wed, 10 Feb 2016 17:48:25 GMT
[Apologies for top-posting, and I've never used FIPS...]

Ubuntu 12.04 uses apache 2.2; the "out of the box" ssl.conf has the lines:

# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2

and [if I'm reading www.openssl.org correctly] FIPS is "v2"...

Best -- Paul


At 08:24 AM 2/10/2016 -0800, cloud force wrote:
>Hi Chris,
>
>Please see my comments below.
>
>Thanks,
>Rich
>
>On Wed, Feb 10, 2016 at 7:20 AM, Christopher Schultz 
><<mailto:chris@christopherschultz.net>chris@christopherschultz.net> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>Rich,
>On 2/9/16 6:21 PM, cloud force wrote:
> > On Tue, Feb 9, 2016 at 2:59 PM, Christopher Schultz
> > <<mailto:chris@christopherschultz.net>chris@christopherschultz.net
> > <mailto:chris@christopherschultz.net>> wrote:
> >
> > Rich,
> >
> > On 2/9/16 4:09 PM, cloud force wrote:
> >> Yes I do have* *some regulatory requirement to use FIPS and I
> >> have built the FIPS capable OpenSSL lib.
> >
> > Where is that library located on the disk?
> >
> >> [Rich] The new libcrypto.so located in the same directory
> >> /lib/x86_64-linux-gnu/
> >
> >
> >
> >> I tried to add the "SSLFIPS on" parameter to the httpd.conf
> >> config file as suggested in the ssl_mod manual page, but the
> >> httpd failed to start with errors which seemed to due to the fact
> >> that my apache server was not compiled against an SSL library
> >> which support the FIPS_mode flag.
> >
> > Maybe you are getting the system-provided OpenSSL library and not
> > the one you custom-built.
> >
> >> I need helps with guidance of how to compile apache server with
> >> FIPS capable OpenSSL lib so that the Apache server can be
> >> operating under the OpenSSL FIPS mode.
> >
> > Recompiling httpd is never needed to switch-out a shared library.
> > You just need to fix the way the OS loads things.
> >
> >> [Rich] How do I do that?
>That depends upon the answers to your various questions.
> > What OS? What version of that OS? Architecture, etc.?
> >
> >> [Rich] Ubuntu Linux 64 bit (version 12.04)
> >
> >
> > How did you install httpd?
> >
> >> [Rich] Httpd is packaged by Ubuntu as a package called apache2,
> >> and I installed the apache2 package.
>Good. Keep that package as it is.
> > How did you install OpenSSL (originally)?
> >
> >> [Rich] OpenSSL is also packaged by Ubuntu as a package. I
> >> installed the original Ubuntu openssl package.
>Okay. And that package is still installed and not broken?
> > Did you build the FIPS-capable OpenSSL library yourself or did you
> > get it from some other source?
> >
> >> [Rich] I downloaded the FIPS modules source and built it with the
> >> stock openssl library, and then installed the newly rebuild FIPS
> >> capable openssl library. I was able to verify by using the FIPS
> >> capable openssl lib, running the openssl command to generate a
> >> MD5 checksum failed due to it's an non-approved FIPS algorithm.
>Okay, good. IIRC, the "openssl" CLI is statically-linked so that will
>always work as long as you use the full path to the FIPS-capable
>openssl binary. Getting another program to load using the FIPS-capable
>library takes a bit of work.
> > Where is the FIPS-capable OpenSSL library on the disk?
> >
> >> [Rich] The .so files are mostly under the directory
> >> /lib/x86_64-linux-gnu/
>Isn't that where the Ubuntu-packages libraries are as well?
>
>[Rich] Yes, basically my newly built FIPS capable OpenSSL lib files 
>replaced the original Ubuntu installed ones.
>Â
>What does this command show?
>$ dpkg -L libssl1.0.0
>(This will still work if you have OpenSSL 1.0.1.)
>Where *exactly* are the FIPS-capable libraries you built? There should
>be several .so files produced by the build. What are they and where
>did you put them?
> > How do you launch httpd?
> >
> >> [Rich] Ubuntu uses upstart script to launch service like httpd. I
> >> just ran the upstart script (service apache2 start) to start the
> >> httpd.
>Ultimately, this is going to involve you adjusting the LD_LIBRARY_PATH
>environment variable to point to the place where your FIPS-capable
>OpenSSL libraries are. But if you put them into the existing library
>search path, you may have broken both your original OpenSSL
>installation, plus the FIPS-capable libraries as well.
>
>[Rich] My understanding is, if I replace the Ubuntu installed OpenSSL lib 
>files with the FIPS capable version built by myself, as long as the 
>application which uses openssl (e.g. Apache server) doesn't explicitly 
>invoke FIPS_mode_set() API to enable FIPS mode, they will work pretty much 
>the same as there 's no FIPS.
> From the ssl_mod's doc it looks like I need to recomplile with some 
> different option so that it will allow Apache to invoke FIPS_mode_set 
> API, as I did find the FIPS_mode_set API got invoked somewhere in the 
> stock httpd source code. Is my understanding correct?
>It would be best to keep the FIPS-capable libraries somewhere out of
>the way where you won't confuse them with the package-installed ones.
>- -chris
>-----BEGIN PGP SIGNATURE-----
>Comment: GPGTools - <http://gpgtools.org>http://gpgtools.org
>Comment: Using GnuPG with Thunderbird - 
><http://www.enigmail.net/>http://www.enigmail.net/
>iEYEARECAAYFAla7VSQACgkQ9CaO5/Lv0PDqQACbBdzt3ek8ywxxUFgjhb8YXhf7
>1gAAnRRHqsNIEuOmd6OFjewx3M7UWZsa
>=JqxL
>-----END PGP SIGNATURE-----
>---------------------------------------------------------------------
>To unsubscribe, e-mail: 
><mailto:users-unsubscribe@httpd.apache.org>users-unsubscribe@httpd.apache.org
>For additional commands, e-mail: 
><mailto:users-help@httpd.apache.org>users-help@httpd.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message