httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tom Browder <>
Subject [users@httpd] V2.4.7 and Open SSL 1.o.1f (FIPS) build error
Date Mon, 17 Feb 2014 23:33:13 GMT
I built and installed OpenSSL 1.0.1f in the FIPS mode.

I configured httpd-2.4.7 successfully to use mod_ssl:


and, during the build, it stops here:

/usr/local/src/httpd-2.4.7/support/ab.c:509: undefined reference to
/usr/local/src/httpd-2.4.7/support/ab.c:516: undefined reference to
/usr/local/src/httpd-2.4.7/support/ab.c:522: undefined reference to

A msg on the openssl list says, quote:
> Second try...
> The FIPS_rand_set_key and FIPS_rand_seed functions in 0.9.8 appear to have
> been removed in newer OpenSSL FIPS Object Module v2.0.

Those functions relate to the old X9.31 PRNG which isn't the default any more
for the 2.0 module. The default is the SP800-90 DRBG.

> Are there replacements?  Or are they not needed anymore?  If an
> application is in FIPS mode (i.e. the OpenSSL FIPS Object Module is in FIPS
> mode), can the application fork without having to reset the FIPS rand state?

Yes fork protection is included in the 2.0 module. In fact it was also in the
1.2.x module, you only needed to worry about fork for the 1.1 module.

> I see an interface called FIPS_x931_set_key, but I want to use an RBG that
> is compliant with SP 800-90 - which I believe the OpenSSL FIPS Object Module
> v2.0 supports.

In FIPS mode the default RAND method uses the SP800-90 DRBG so you use it

> When does one use the RAND_init_fips function?

You don't normally need to call that at all: it is handled automaticaly when
you enter FIPS mode.

Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see:

End quote.

The openssl message is at:

I will try to back off FIPS for now but I sure would like to use it.

I'll file a bug if it's appropriate.

Best regards,


I get this error:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message