Apache 2.2.24 doesnt come up with FIPS capable openssl 1.0.1c

Mon, 01 Apr 2013 07:29:47 -0700 

Hi All,

I installed openssl 1.0.1c with FIPS and it works fine.

export OPENSSL_FIPS=1

[root@PC ~]# openssl SHA1 incore
SHA1(incore)= b5acba7f6333aafdfe9804d2aebe373c39024bc3
[root@PC ~]# openssl md5 incore
Error setting digest md5
139723413960360:error:060A80A3:digital envelope
routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:

Also, ciphers option shows fewer ciphers.

I compiled HTTPD 2.2.24 against this openssl. But HTTPD is not coming up
with SSLFIPS on throwing following errors.

[Mon Apr 01 19:07:46 2013] [emerg] FIPS mode failed
[Mon Apr 01 19:07:46 2013] [emerg] SSL Library Error: 755413103
error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does
not match

Here is the detail of build procedure i followed for httpd.

1)Set Env Variables
        export
INCLUDES="-I/software/common/mod_ssl/mod_ssl-2.8.30-1.3.39/pkg.sslmod"
        LIBS=-ldl
        export
CPPFLAGS="-I/software/common/openssl/openssl-1.0.1c/include/openssl"
        export LD_LIBRARY_PATH="/software/common/openssl/openssl-1.0.1c/"

2)  ./configure  --with-ssl=/software/common/openssl/openssl-1.0.1c
--enable-so --enable-ssl --enable-shared=ssl

3) make

Which resulted in  libmod_ssl.a lib and httpd binary.

Symbols in lib and binary are,

[root@PC .libs]# nm -n -f 'sysv' libmod_ssl.a |  grep FIPS
ssl_cmd_SSLFIPS     |                |   U  |            NOTYPE|               
|     |*UND*
ssl_cmd_SSLFIPS     |0000000000001130|  T  |             
FUNC|000000000000006d|     |.text
FIPS_mode             |                |   U  |            NOTYPE|              
 
|     |*UND*
FIPS_mode_set       |                |   U  |            NOTYPE|               
|     |*UND*

[root@PC httpd-2.2.24]# nm -n -f 'sysv' httpd |  grep FIPS|grep .rodata
FIPS_rodata_start   |000000000062ecc0|   R  |           
OBJECT|0000000000000010|     |.rodata
FIPS_hmac_key       |000000000062ecd0|   r  |           
OBJECT|0000000000000011|     |.rodata
FIPS_bn_version     |000000000062eda0|   R  |           
OBJECT|0000000000000036|     |.rodata
FIPS_rodata_end     |000000000063a040|   R  |           
OBJECT|0000000000000010|     |.rodata

Can someone help me with this?

Thanks,
Cipher 



--
View this message in context: 
http://openssl.6102.n7.nabble.com/Apache-2-2-24-doesnt-come-up-with-FIPS-capable-openssl-1-0-1c-tp44630.html
Sent from the OpenSSL - Dev mailing list archive at Nabble.com.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to