Blasdel, Jerry wrote:
> I'm not sure if this will help, but we do the following (this is on
> Soalris):
>
> 1. Build fips caninsters from an opens-ssl-fips source (1.1.1 or
> 1.1.2).
> 2. Build a version of openssl and during the configure use
> -with-fipslibdir=(location of the canisters from step 1).
> 3. Build a version of apache and during the configure use
> --with-ssl=${OPENSSL_INSTALL_DIR} (location from step 2).
>
Keep in mind that merely linking an application with a FIPS enabled
OpenSSL does NOT automatically give you a result that can be claimed as
FIPS 140-2 compliant. At an absolute minimum you will need to enable
the FIPS mode of operation (see the User Guide for the gory details:
http://www.openssl.org/docs/fips/) . In practice additional application
source mods will generally be required. Also check AFS Bugzilla for
some work in that regard going back to 2005, most recently Steve Henson
submitted a patch that includes FIPS mode enabling
(http://mail-archives.apache.org/mod_mbox/httpd-bugs/200711.mbox/[EMAIL
PROTECTED]/bugzilla/%3E).
-Steve M.
--
Steve Marquess
Open Source Software institute
[EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
