httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cloud force <>
Subject Re: [users@httpd] How to build Apache with FIPS mode capable?
Date Tue, 09 Feb 2016 23:21:18 GMT
Hi Chris,

Please see my comments below inline.


On Tue, Feb 9, 2016 at 2:59 PM, Christopher Schultz <> wrote:

> Hash: SHA1
> Rich,
> On 2/9/16 4:09 PM, cloud force wrote:
> > Yes I do have* *some regulatory requirement to use FIPS and I have
> > built the FIPS capable OpenSSL lib.
> Where is that library located on the disk?

 [Rich] The new located in the same directory

> > I tried to add the "SSLFIPS on" parameter to the httpd.conf config
> > file as suggested in the ssl_mod manual page, but the httpd failed
> > to start with errors which seemed to due to the fact that my apache
> > server was not compiled against an SSL library which support the
> > FIPS_mode flag.
> Maybe you are getting the system-provided OpenSSL library and not the
> one you custom-built.
> > I need helps with guidance of how to compile apache server with
> > FIPS capable OpenSSL lib so that the Apache server can be operating
> > under the OpenSSL FIPS mode.
> Recompiling httpd is never needed to switch-out a shared library. You
> just need to fix the way the OS loads things.
[Rich] How do I do that?

> What OS? What version of that OS? Architecture, etc.?
[Rich] Ubuntu Linux 64 bit (version 12.04)

> How did you install httpd?
[Rich] Httpd is packaged by Ubuntu as a package called apache2, and I
installed the apache2 package.

> How did you install OpenSSL (originally)?
[Rich] OpenSSL is also packaged by Ubuntu as a package. I installed the
original Ubuntu openssl package.

> Did you build the FIPS-capable OpenSSL library yourself or did you get
> it from some other source?

[Rich] I downloaded the FIPS modules source and built it with the stock
openssl library, and then installed the newly rebuild FIPS capable openssl
library. I was able to verify by using the FIPS capable openssl lib,
running the openssl command to generate a MD5 checksum failed due to it's
an non-approved FIPS algorithm.


Where is the FIPS-capable OpenSSL library on the disk?
[Rich] The .so files are mostly under the directory  /lib/x86_64-linux-gnu/

> How do you launch httpd?
[Rich] Ubuntu uses upstart script to launch service like httpd. I just ran
the upstart script (service apache2 start) to start the httpd.

> - -chris
> Comment: GPGTools -
> Comment: Using GnuPG with Thunderbird -
> iEYEARECAAYFAla6b0oACgkQ9CaO5/Lv0PD3wACfWaxX8PA8dhUajcJiHoar12ck
> 1NoAniETHeQizkhiRLtie+M2RCxuKFAz
> =HJr7
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View raw message