Dr. Henson:
Thanks for your quick response and your patience. Sometimes I have a way of
trying to make things so much harder than they need to be. I reread page 33 of
the OFOM User Guide ...
"The fipsld command requires that the CC and/or FIPSLD_CC environment variables
be set, with the latter taking precedence. These variables allow a typical
Makefile to be used without modification by specifying a command of the form
make CC=fipsld FIPSLD_CC=gcc
where fipsld is invoked by make in lieu of the original compiler and linker
(gcc in this
example), and in turn invokes that compiler where appropriate."
So, I stopped trying to edit the curl Makefiles and, instead, actually tried
doing exactly what Steve Marquess says to do in the OFOM User Guide (along with
copying fipsld into the necessary curl source directories and telling make
where to find openssl). Of course, my FIPS-capable curl built successfully.
Thanks again.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dr. Stephen Henson
Sent: Monday, September 22, 2008 3:44 AM
To: openssl-users@openssl.org
Subject: Re: FIPS-capable curl: Solaris 9 - fingerprint does not match
On Sun, Sep 21, 2008, Welling, Conrad Gerhart wrote:
> Back to square 2 out of 3:
>
> Platform:
> SunOS bear 5.9 Generic_118558-34 sun4u sparc SUNW,Ultra-5_10
> gcc (GCC) 3.4.6
> GNU ld version 2.17
> GNU ar 2.17
>
> 1. Built fips-1.1.2 successfully
>
> 2. Built openssl-0.9.7m successfully with ...
> ./Configure solaris-sparcv9-gcc27 fips
> --with-fipslibdir=/export/home/wellingc/dudc/openssl-fips-1.1.2/fips-1.0/
>
> (also tried with -shared, but no successful build)
>
> 3. Built modded curl executable, adding a --fips-mode option, using ...
> ./configure --with-ssl=/usr/local/ssl --enable-http --disable-tftp
> --disable-file --disable-ldap --disable-ldaps --disable-dict --disable-telnet
> --with-ca-path=../x.dcerts --disable-ldap
>
> When curl executable is run from command-line with --fips-mode, get ...
> SSL: 0:705134702:fips.c:212:0:error:2A07806E:FIPS
> routines:FIPS_check_dso:fingerprint does not match
>
> I've read all "fips solaris" forum messages + others ... I thought I had this
> down, but ...
> a little guidance would be appreciated.
>
You need to link the application using the "fipsld" script. That will
correctly obtain and embed the correct signature in the target.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Homepage: http://www.drh-consultancy.demon.co.uk
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
