I have followed the step mention in OpenSSL FIPS Security Policy for openssl fips 1.1.2 and that all work fine. But when i started working on fips capable openssl using openssl 0.9.7m and used the shared option in the ./Configure,it is giving the error but work fine when not using shared option
The step to generate fips module (using openssl fips 1.1.2) 1. ./Configure fips aix-cc 2. make The step used to generate fips capable openssl ./Configure -DSSL_ALLOW_ADH --prefix=/usr --openssldir=/var/ssl --with-fipslibdir=$fipslibdir fips no-idea no-rc5 no-ec no-symlinks shared threads aix${1}-xlc_r make depend make # Relink the 'openssl' program with correct libpath. cd apps rm openssl make CC='xlc_r -bnolibpath' cd ../.. This shared option is creating the fips related function to fail This is the error message ./fips_test_suite >> FIPS-mode test application >> >> 1. Non-Approved cryptographic operation test... >> a. Included algorithm (D-H)...successful >> 1638508:error:2A07806E:lib(42):func(120):reason(110):fips.c:212: >> 2. Automatic power-up self test...FAILED! but it okay when i am omitting the shared option Does it means it does not support shared libraary I have got link which is also stating same http://www.mail-archive.com/openssl-users@openssl.org/msg53664.html I am attaching the build script i am using http://www.nabble.com/file/p19555718/fipsbuild.txt fipsbuild.txt Please help me to resolve this problem Thanks in Advance Joshi Chandran Patrick Patterson-3 wrote: > > Hi Joshi: > > On September 18, 2008 11:01:28 am joshi chandra wrote: >> Hi >> >> I was trying to build shared library of fips and i am facing some problem >> with that .This is the step i have done >> >> 1. I have created the fips object module (used openssl fips 1.1.2) >> >> 2. Used openssl 0.9.7m to create fips capable module and when i use >> shared >> option in ./configure ,all the fips related fucntion failed (like >> fips_test_suite failed) ,if i am not using shared option,that time it >> successed. >> >> This is the error which i am getting when using shared option in >> ./Configure in openssl 0.9.7m >> ./fips_test_suite >> FIPS-mode test application >> >> 1. Non-Approved cryptographic operation test... >> a. Included algorithm (D-H)...successful >> 1638508:error:2A07806E:lib(42):func(120):reason(110):fips.c:212: >> 2. Automatic power-up self test...FAILED! >> >> but it works fine when shared is not used >> >> This means the shared library is not supported by this version. >> >> Can u please help what is wrong here >> > From my understanding, to get a FIPS validated module, you must follow the > OpenSSL FIPS Security Policy letter for letter. That means that if you > change > a single option on the ./configure line, it is no longer the "FIPS > validated" > version that you are building. Consequently, I suggest you read the > security > policy, and see if what you are trying to do is a validated configuration. > > Have fun. > > -- > Patrick Patterson > President and Chief PKI Architect, > Carillon Information Security Inc. > http://www.carillon.ca > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > -- View this message in context: http://www.nabble.com/Openssl-Fips-Shared-Library-tp19552549p19555718.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]