Rabail: In addition to the Security Policy http://www.openssl.org/docs/fips/SecurityPolicy-1.1.2.pdf take a look at section 4.2 of the User Guide http://www.openssl.org/docs/fips/UserGuide-1.1.1.pdf In particular in section 4.2.3 when it is talking about building a FIPS-capable OpenSSL, you use 0.9.7m at that point
The steps you would use would go something like this: cd /usr/src tar -xvf openssl-fips-1.1.2.tar.gz cd openssl-fips-1.1.2 ./config fips make make install cd .. rm -rf openssl-fips-1.1.2 tar -xvf openssl-0.9.7m.tar.gz cd openssl-0.9.7m ./config fips --openssldir=/etc/ssl --prefix=/usr zlib-dynamic <other options except shared> make depend make MANDIR=/usr/share/man make MANDIR=/usr/share/man install The "make depend" is only required if options selected during config require it. A message will appear at the end of the config if it is needed. Bill ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rabail javed Sent: June 27, 2008 9:53 AM To: openssl-users@openssl.org Cc: James Erskine; Rifaat Shekh-Yusef Subject: Re: upgrading openssl 0.9.8b to openssl-fips-1.1.1 Thanx a lot Bill, but if i would install openssl-fips-1.1.2 , do i need 0.9.7m with it. On Thu, Jun 26, 2008 at 5:00 PM, Bill Colvin <[EMAIL PROTECTED]> wrote: Rabail: openssl-fips-1.1.1 is a 0.9.7 based version of openssl. Therefore, you will be downgrading your 0.9.8b version if you choose to do this. Also, you should be using openssl-fips-1.1.2 now not openssl-fips-1.1.1 as it has fixed a minor problem with the earlier version. You may want to consider working with the snapshot version openssl-fips-test-1.2.0 which is the 0.9.8 based version that is currently undergoing FIPS examination. With regard to the process, you have to first build the fips canisters as described in the docs. You then end up with the fips pieces in /usr/local. Then you build a fips capable version of openssl to reside in the target directories of your choice. If you are using openssl-fips-1.1.1 then you would do this with openssl-0.9.7m Bill ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rabail javed Sent: June 26, 2008 4:23 PM To: openssl-users@openssl.org Cc: James Erskine; Rifaat Shekh-Yusef Subject: upgrading openssl 0.9.8b to openssl-fips-1.1.1 Hi , I am upgrading the openssl 0.9.8b to openssl-fips-1.1.1. For doing this i need to delete the previous version and install the newer version according the instructions specified in http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp733.pdf By default all the files(bin, include and lib) will be installed to /usr/local/. I dont want to install in these directories, I want to install in the existing directories used by the 0.9.8b version which are different . I can change the installation directory using ./config command and giving the prefix and openssl directory of my own choice. But according to the above document "Appendix B" i cannot give any other confiugration options. Could you please tell me the way to install openssl-fips-1.1.1 version in the old directories used by the openssl0.9.8b. -- Regards, Rabail Javed Telecommunications Software Designer NORTEL NETWORKS CORPORATION Canada cell: 1-613-242-1316 -- Regards, Rabail Javed Telecommunications Software Designer NORTEL NETWORKS CORPORATION Canada cell: 1-613-242-1316
