Hi Dave. Thank you for taking out the time to respond. What is the right way to build FIPS compliant OpenSSL binaries? I assumed the right way was: 1) Build FIPS module (say 2.0.5) using VS2008. Going by your reply, this should already have the "/fixed" linker flag. I will search the FIPS module source tarball to find which file has this. 2) Configure OpenSSL (say 1.0.1e) with the following configure options: perl Configure VC-WIN32 fips --with-fipslibdir=<path to FIPS module build> And then call make: nmake /f ms\ntdll.mak
In this approach, I confirm that I see the mismatch error as discussed on thread: http://comments.gmane.org/gmane.comp.encryption.openssl.devel/18309 When I patched OpenSSL 1.0.1e source (util/pl/VC-32.pl) and built it again, the problem was fixed. That led me to believe the change didn't make it to the 1.0.1 branches. Either that, or the way I'm building is wrong :-). If this is the right way to build, should I request this list to patch 1.0.1 series? Thanks in advance, Parag Doke On 2/8/14, Dave Thompson <dthomp...@prinpay.com> wrote: > I'm not a dev or even a real FIPSian, but I'll take a stab: > > > > The commit itself says branch_0_9_8_stable, and see it in 0.9.8 v and > later. > But I don't think it does any good > > there, because you don't want to build a FIPS module from a normal tarball. > (It's not validated, so it's no better > > and perhaps worse than a plain non-FIPS library.) There is one release on > the website of fips-1.2 after > > 2012-apr-15, 1.2.4, which clearly does not have the change (VC-32.pl > contents and timestamp unchanged). > > > > All of the fips-2.0* tarballs are well after 2012-apr and do add /fixed, > but > not exactly this way. They put > > it in a different place that looks to have the same result, but I don't > have > actual FIPS builds to verify. > > > > > > From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] > On Behalf Of Parag Doke > Sent: Thursday, February 06, 2014 08:37 > To: openssl-dev@openssl.org > Subject: *** Spam *** Which OpenSSL version picked up check-in 22392? > > > > Hello All. > > I'm new to this list. Just wanted to ask which OpenSSL version picked up > check-in 22392 ? > > Here is the change I'm interested in: > http://cvs.openssl.org/chngview?cn=22392 > > > Context: > > Avoid rebasing dll so that the fingerprint mismatch issue does not show up. > The discussion is on this link: > http://comments.gmane.org/gmane.comp.encryption.openssl.devel/18309 > > I looked at the code for OpenSSL 1.0.1e and 1.0.1f, both did not have this > change. > > Was it obsoleted by some other subsequent change ? > > Thanks in advance, > > > Parag Doke > Save paper, save trees. Do not print emails/documents unless absolutely > necessary. > > -- Parag Doke Save paper, save trees. Do not print emails/documents unless absolutely necessary. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
