httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cloud force <cloud.force...@gmail.com>
Subject Re: [users@httpd] How to build Apache with FIPS mode capable?
Date Wed, 10 Feb 2016 18:12:11 GMT
Hi Chris,

On Wed, Feb 10, 2016 at 9:50 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Rich,
>
> On 2/10/16 11:24 AM, cloud force wrote:
> > Hi Chris,
> >
> > Please see my comments below.
> >
> > Thanks, Rich
> >
> > On Wed, Feb 10, 2016 at 7:20 AM, Christopher Schultz
> > <chris@christopherschultz.net
> > <mailto:chris@christopherschultz.net>> wrote:
> >
> > Rich,
> >
> > On 2/9/16 6:21 PM, cloud force wrote:
> >> On Tue, Feb 9, 2016 at 2:59 PM, Christopher Schultz
> >> <chris@christopherschultz.net
> >> <mailto:chris@christopherschultz.net>
> >> <mailto:chris@christopherschultz.net
> >> <mailto:chris@christopherschultz.net>>>
> > wrote:
> >
> >> Rich,
> >
> >> On 2/9/16 4:09 PM, cloud force wrote:
> >>> Yes I do have* *some regulatory requirement to use FIPS and I
> >>> have built the FIPS capable OpenSSL lib.
> >
> >> Where is that library located on the disk?
> >
> >>> [Rich] The new libcrypto.so located in the same directory
> >>> /lib/x86_64-linux-gnu/
> >
> >
> >
> >>> I tried to add the "SSLFIPS on" parameter to the httpd.conf
> >>> config file as suggested in the ssl_mod manual page, but the
> >>> httpd failed to start with errors which seemed to due to the
> >>> fact that my apache server was not compiled against an SSL
> >>> library which support the FIPS_mode flag.
> >
> >> Maybe you are getting the system-provided OpenSSL library and
> >> not the one you custom-built.
> >
> >>> I need helps with guidance of how to compile apache server
> >>> with FIPS capable OpenSSL lib so that the Apache server can be
> >>> operating under the OpenSSL FIPS mode.
> >
> >> Recompiling httpd is never needed to switch-out a shared
> >> library. You just need to fix the way the OS loads things.
> >
> >>> [Rich] How do I do that?
> >
> > That depends upon the answers to your various questions.
> >
> >> What OS? What version of that OS? Architecture, etc.?
> >
> >>> [Rich] Ubuntu Linux 64 bit (version 12.04)
> >
> >
> >> How did you install httpd?
> >
> >>> [Rich] Httpd is packaged by Ubuntu as a package called
> >>> apache2, and I installed the apache2 package.
> >
> > Good. Keep that package as it is.
> >
> >> How did you install OpenSSL (originally)?
> >
> >>> [Rich] OpenSSL is also packaged by Ubuntu as a package. I
> >>> installed the original Ubuntu openssl package.
> >
> > Okay. And that package is still installed and not broken?
> >
> >> Did you build the FIPS-capable OpenSSL library yourself or did
> >> you get it from some other source?
> >
> >>> [Rich] I downloaded the FIPS modules source and built it with
> >>> the stock openssl library, and then installed the newly rebuild
> >>> FIPS capable openssl library. I was able to verify by using the
> >>> FIPS capable openssl lib, running the openssl command to
> >>> generate a MD5 checksum failed due to it's an non-approved FIPS
> >>> algorithm.
> >
> > Okay, good. IIRC, the "openssl" CLI is statically-linked so that
> > will always work as long as you use the full path to the
> > FIPS-capable openssl binary. Getting another program to load using
> > the FIPS-capable library takes a bit of work.
> >
> >> Where is the FIPS-capable OpenSSL library on the disk?
> >
> >>> [Rich] The .so files are mostly under the directory
> >>> /lib/x86_64-linux-gnu/
> >
> > Isn't that where the Ubuntu-packages libraries are as well?
> >
> >> [Rich] Yes, basically my newly built FIPS capable OpenSSL lib
> >> files replaced the original Ubuntu installed ones.
> >
> >
> >
> > What does this command show?
> >
> > $ dpkg -L libssl1.0.0
> >
> > (This will still work if you have OpenSSL 1.0.1.)
> >
> > Where *exactly* are the FIPS-capable libraries you built? There
> > should be several .so files produced by the build. What are they
> > and where did you put them?
> >
> >> How do you launch httpd?
> >
> >>> [Rich] Ubuntu uses upstart script to launch service like httpd.
> >>> I just ran the upstart script (service apache2 start) to start
> >>> the httpd.
> >
> > Ultimately, this is going to involve you adjusting the
> > LD_LIBRARY_PATH environment variable to point to the place where
> > your FIPS-capable OpenSSL libraries are. But if you put them into
> > the existing library search path, you may have broken both your
> > original OpenSSL installation, plus the FIPS-capable libraries as
> > well.
> >
> >> [Rich] My understanding is, if I replace the Ubuntu installed
> >> OpenSSL lib files with the FIPS capable version built by myself,
> >> as long as the application which uses openssl (e.g. Apache
> >> server) doesn't explicitly invoke FIPS_mode_set() API to enable
> >> FIPS mode, they will work pretty much the same as there 's no
> >> FIPS.
>
> Agreed.
>
> >> From the ssl_mod's doc it looks like I need to recomplile with
> >> some different option so that it will allow Apache to invoke
> >> FIPS_mode_set API, as I did find the FIPS_mode_set API got
> >> invoked somewhere in the stock httpd source code. Is my
> >> understanding correct?
>
> I might need some help from the httpd gurus here. If httpd has #ifdefs
> that require that the compile-time library be FIPS-capable in order to
> build against it, then httpd will in fact have to be rebuilt.
>
> OpenSSL itself does not conditionally-compile or conditionally-declare
> the FIPS_mode_set(int) function call, so building against a
> non-FIPS-capable library (the set of header files, really) should
> still allow you to call FIPS_mode_set at runtime.
>
> What exact error message did you get when trying to start httpd with
> FIPSMode On? You never actually posted that.
>
I added the "SSLFIPS on" option to the httpd.conf as suggested in the
ssl_mod doc, and I got the following error:

 * Starting web server apache2

      Syntax error on line 1 of /etc/apache2/httpd.conf:

SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS

Action 'start' failed.

The Apache error log may have more information.





> > It would be best to keep the FIPS-capable libraries somewhere out
> > of the way where you won't confuse them with the package-installed
> > ones.
>
> Note that by replacing the package-manager-supplied libraries, you'll
> end up breaking everything whenever a security patch for OpenSSL is
> provided by your package manager.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAla7eFEACgkQ9CaO5/Lv0PBWkgCdEAAV6hySl/ambxzad/n9lWh1
> XbcAn1hwQp0p5BKjTPoWyxTcydFSYvLV
> =gu7X
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message