httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cloud force <cloud.force...@gmail.com>
Subject Re: [users@httpd] How to build Apache with FIPS mode capable?
Date Tue, 09 Feb 2016 23:21:18 GMT
Hi Chris,

Please see my comments below inline.

Thanks,
Rich

On Tue, Feb 9, 2016 at 2:59 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rich,
>
> On 2/9/16 4:09 PM, cloud force wrote:
> > Yes I do have* *some regulatory requirement to use FIPS and I have
> > built the FIPS capable OpenSSL lib.
>
> Where is that library located on the disk?

 [Rich] The new libcrypto.so located in the same directory
/lib/x86_64-linux-gnu/


>
> > I tried to add the "SSLFIPS on" parameter to the httpd.conf config
> > file as suggested in the ssl_mod manual page, but the httpd failed
> > to start with errors which seemed to due to the fact that my apache
> > server was not compiled against an SSL library which support the
> > FIPS_mode flag.
>
> Maybe you are getting the system-provided OpenSSL library and not the
> one you custom-built.
>
> > I need helps with guidance of how to compile apache server with
> > FIPS capable OpenSSL lib so that the Apache server can be operating
> > under the OpenSSL FIPS mode.
>
> Recompiling httpd is never needed to switch-out a shared library. You
> just need to fix the way the OS loads things.
>
[Rich] How do I do that?

>
> What OS? What version of that OS? Architecture, etc.?
>
[Rich] Ubuntu Linux 64 bit (version 12.04)


> How did you install httpd?
>
[Rich] Httpd is packaged by Ubuntu as a package called apache2, and I
installed the apache2 package.


> How did you install OpenSSL (originally)?
>
[Rich] OpenSSL is also packaged by Ubuntu as a package. I installed the
original Ubuntu openssl package.


> Did you build the FIPS-capable OpenSSL library yourself or did you get
> it from some other source?

[Rich] I downloaded the FIPS modules source and built it with the stock
openssl library, and then installed the newly rebuild FIPS capable openssl
library. I was able to verify by using the FIPS capable openssl lib,
running the openssl command to generate a MD5 checksum failed due to it's
an non-approved FIPS algorithm.


>

Where is the FIPS-capable OpenSSL library on the disk?
>
[Rich] The .so files are mostly under the directory  /lib/x86_64-linux-gnu/


> How do you launch httpd?
>
[Rich] Ubuntu uses upstart script to launch service like httpd. I just ran
the upstart script (service apache2 start) to start the httpd.


>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAla6b0oACgkQ9CaO5/Lv0PD3wACfWaxX8PA8dhUajcJiHoar12ck
> 1NoAniETHeQizkhiRLtie+M2RCxuKFAz
> =HJr7
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message