httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: [users@httpd] How to build Apache with FIPS mode capable?
Date Wed, 10 Feb 2016 15:20:04 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rich,

On 2/9/16 6:21 PM, cloud force wrote:
> On Tue, Feb 9, 2016 at 2:59 PM, Christopher Schultz 
> <chris@christopherschultz.net
> <mailto:chris@christopherschultz.net>> wrote:
> 
> Rich,
> 
> On 2/9/16 4:09 PM, cloud force wrote:
>> Yes I do have* *some regulatory requirement to use FIPS and I
>> have built the FIPS capable OpenSSL lib.
> 
> Where is that library located on the disk?
> 
>> [Rich] The new libcrypto.so located in the same directory 
>> /lib/x86_64-linux-gnu/
> 
> 
> 
>> I tried to add the "SSLFIPS on" parameter to the httpd.conf
>> config file as suggested in the ssl_mod manual page, but the
>> httpd failed to start with errors which seemed to due to the fact
>> that my apache server was not compiled against an SSL library
>> which support the FIPS_mode flag.
> 
> Maybe you are getting the system-provided OpenSSL library and not
> the one you custom-built.
> 
>> I need helps with guidance of how to compile apache server with 
>> FIPS capable OpenSSL lib so that the Apache server can be
>> operating under the OpenSSL FIPS mode.
> 
> Recompiling httpd is never needed to switch-out a shared library.
> You just need to fix the way the OS loads things.
> 
>> [Rich] How do I do that?

That depends upon the answers to your various questions.

> What OS? What version of that OS? Architecture, etc.?
> 
>> [Rich] Ubuntu Linux 64 bit (version 12.04)
> 
> 
> How did you install httpd?
> 
>> [Rich] Httpd is packaged by Ubuntu as a package called apache2,
>> and I installed the apache2 package.

Good. Keep that package as it is.

> How did you install OpenSSL (originally)?
> 
>> [Rich] OpenSSL is also packaged by Ubuntu as a package. I
>> installed the original Ubuntu openssl package.

Okay. And that package is still installed and not broken?

> Did you build the FIPS-capable OpenSSL library yourself or did you
> get it from some other source?
> 
>> [Rich] I downloaded the FIPS modules source and built it with the
>> stock openssl library, and then installed the newly rebuild FIPS
>> capable openssl library. I was able to verify by using the FIPS
>> capable openssl lib, running the openssl command to generate a
>> MD5 checksum failed due to it's an non-approved FIPS algorithm.

Okay, good. IIRC, the "openssl" CLI is statically-linked so that will
always work as long as you use the full path to the FIPS-capable
openssl binary. Getting another program to load using the FIPS-capable
library takes a bit of work.

> Where is the FIPS-capable OpenSSL library on the disk?
> 
>> [Rich] The .so files are mostly under the directory
>> /lib/x86_64-linux-gnu/

Isn't that where the Ubuntu-packages libraries are as well?

What does this command show?

$ dpkg -L libssl1.0.0

(This will still work if you have OpenSSL 1.0.1.)

Where *exactly* are the FIPS-capable libraries you built? There should
be several .so files produced by the build. What are they and where
did you put them?

> How do you launch httpd?
> 
>> [Rich] Ubuntu uses upstart script to launch service like httpd. I
>> just ran the upstart script (service apache2 start) to start the
>> httpd.

Ultimately, this is going to involve you adjusting the LD_LIBRARY_PATH
environment variable to point to the place where your FIPS-capable
OpenSSL libraries are. But if you put them into the existing library
search path, you may have broken both your original OpenSSL
installation, plus the FIPS-capable libraries as well.

It would be best to keep the FIPS-capable libraries somewhere out of
the way where you won't confuse them with the package-installed ones.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla7VSQACgkQ9CaO5/Lv0PDqQACbBdzt3ek8ywxxUFgjhb8YXhf7
1gAAnRRHqsNIEuOmd6OFjewx3M7UWZsa
=JqxL
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message