Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4164E18CC2 for ; Wed, 10 Feb 2016 22:14:49 +0000 (UTC) Received: (qmail 33700 invoked by uid 500); 10 Feb 2016 22:14:45 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 33664 invoked by uid 500); 10 Feb 2016 22:14:45 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 33652 invoked by uid 99); 10 Feb 2016 22:14:45 -0000 Received: from Unknown (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 10 Feb 2016 22:14:45 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id E532FC0044 for ; Wed, 10 Feb 2016 22:14:44 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.713 X-Spam-Level: X-Spam-Status: No, score=0.713 tagged_above=-999 required=6.31 tests=[KAM_LAZY_DOMAIN_SECURITY=1, NO_RDNS_DOTCOM_HELO=0.433, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=disabled Received: from mx1-eu-west.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id aiqqQDhrNhoN for ; Wed, 10 Feb 2016 22:14:43 +0000 (UTC) Received: from vms173021pub.verizon.net (vms173021pub.verizon.net [206.46.173.21]) by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with ESMTPS id 9B4A725E93 for ; Wed, 10 Feb 2016 22:14:42 +0000 (UTC) Received: from vz-proxy-l002.mx.aol.com ([64.236.82.148]) by vms173021.mailsrvcs.net (Oracle Communications Messaging Server 7.0.5.32.0 64bit (built Jul 16 2014)) with ESMTPA id <0O2C00KRSR3O6O70@vms173021.mailsrvcs.net> for users@httpd.apache.org; Wed, 10 Feb 2016 16:14:17 -0600 (CST) X-CMAE-Score: 0 X-CMAE-Analysis: v=2.1 cv=J+9Xl1TS c=1 sm=1 tr=0 a=hkQRW7prCrFMEwk2DGUM9Q==:117 a=IkcTkHD0fZMA:10 a=jFJIQSaiL_oA:10 a=j4nzMFrpAAAA:8 a=QfKxxUxMAAAA:8 a=OellJn8Y8EJrjCSozcUA:9 a=QEXdDO2ut3YA:10 Received: by 71.127.40.115 with SMTP id 0ec1e85f; Wed, 10 Feb 2016 22:14:17 GMT To: users@httpd.apache.org References: <56B9EE75.3060300@christopherschultz.net> <56BA6F4A.8030508@christopherschultz.net> <56BB5524.8060400@christopherschultz.net> <56BB7851.8080803@christopherschultz.net> From: Christopher Schultz X-Enigmail-Draft-Status: N1110 Message-id: <56BBB634.4030302@christopherschultz.net> Date: Wed, 10 Feb 2016 17:14:12 -0500 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-version: 1.0 In-reply-to: Content-type: text/plain; charset=utf-8 Content-transfer-encoding: 8bit Subject: Re: [users@httpd] How to build Apache with FIPS mode capable? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Rich, On 2/10/16 1:12 PM, cloud force wrote: > I added the "SSLFIPS on" option to the httpd.conf as suggested in > the ssl_mod doc, and I got the following error: > > * Starting web server apache2 > > > Syntax error on line 1 of /etc/apache2/httpd.conf: > > SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS > > Action 'start' failed. > > The Apache error log may have more information. It looks like httpd *must* be built against a FIPS-capable library. - From modules/ssl/ssl_engine_config.c:692: > #ifdef HAVE_FIPS if ((sc->fips != UNSET) && (sc->fips != > (BOOL)(flag ? TRUE : FALSE))) return "Conflicting SSLFIPS options, > cannot be both On and Off"; sc->fips = flag ? TRUE : FALSE; #else > if (flag) return "SSLFIPS invalid, rebuild httpd and openssl > compiled for FIPS"; #endif > > return NULL; } So you think you really do have to re-build. But the only thing that needs to be defined is OPENSSL_FIPS. From modules/ssl/ssl_private.h:126: > #if defined(OPENSSL_FIPS) #define HAVE_FIPS #endif So if you grab the source and simply do: $ CFLAGS=-DOPENSSL_FIPS ./configure [other opts] $ make That ought to get you a FIPS-capable httpd. To those down and dirty with httpd: is there a reason not to UNCONDITIONALLY build against OpenSSL's FIPS_mode_set? If the library doesn't support FIPS mode, it will complain about it and refuse to enter FIPS mode. The httpd code already handles this in mobules/ssl/ssl_engine_init.c: > #ifdef HAVE_FIPS if(sc->fips) { if (!FIPS_mode()) { if > (FIPS_mode_set(1)) { ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, > APLOGNO(01884) "Operating in SSL FIPS mode"); } else { > ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS > mode failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); > return ssl_die(s); } } } else { ap_log_error(APLOG_MARK, > APLOG_DEBUG, 0, s, APLOGNO(01886) "SSL FIPS mode disabled"); } > #endif I don't see a compelling reason to have all the #ifdef HAVE_FIPS conditionals all over the place. Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAla7tjQACgkQ9CaO5/Lv0PDtUgCfT9JC4pOt0WdZWe3XsFRtQgWa f+AAmwQY+A5KmdTEzwR47/aEK3b/xchg =WaCl -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org