First: You should run vcvars32.bat before doing anything in that window. It's necessary for several reasons, not the least of which is helping the configuration process figure out what it's actually using.
Also, you should really upgrade from 0.9.8j to 0.9.8k. (The OpenSSL team recommends always using the latest version unless there is an uncaught regression.) But to (not really) answer your question: I do not do anything on Windows itself, and thus don't know what it requires. If I did, I would help you more. I just know the FIPS validation requirements, and try to help those who need help understanding. But all is not lost: I would bet that http://openssl.org/docs/fips/UserGuide-1.2.pdf would have more information on how to build a newer version of OpenSSL that linked against the FIPS canister. (Since I'm a bit out of my depth, would someone who has more experience on the Windows platform please chime in?) -Kyle H On Thu, Mar 26, 2009 at 4:27 AM, Uma G. Nayak <uma_na...@mindtree.com> wrote: > That was very clear and great help Kyle!! Even though I had spent time on > Security Policy earlier, the build procedure was not clear, atleast for me, > until now. > > If you wouldn't mind, could you answer one more question of mine? > > I want to use the libeay32.dll and ssleay32.dll from the above build in my > application. Now, is it sufficient if I use the Openssl-fips-1.2 dlls or > should I use it with Openssl-0.9.8j module? Because I had read about it in > one of the replies in this forum, that Openssl-fips-1.2 is to be used in > conjunction with Openssl-0.9.8j. > > If this is true, should I build Openssl-0.9.8j using Openssl-fips-1.2 > libraries? Again what is the build procedure for this? > > I used to follow the below steps for Openssl-0.9.8j: > > perl Configure VC-WIN32 no-asm fips --with-fipslibdir=<path of > Openssl-fips-1.2 dlls> > ms\do_ms > vcvars32.bat > nmake -f ms\ntdll.mak > > > Regards, > Uma > > -----Original Message----- > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Kyle Hamilton > Sent: Thursday, March 26, 2009 11:42 AM > To: openssl-users@openssl.org > Subject: Re: Server crash while starting service > > More specifically: > > (and before anyone berates me: I apologize for the snarkiness of the > rest of this post, I'm only trying to make a point with a bit of > humor.) > > Delete the current FIPS source tree you've got. It's not viable, and > it can never create any module that can claim FIPS validation. Just > wipe it. > > Then, download and read the Security Policy. It's only 16 pages long, > not big at all, and you get it from > http://www.openssl.org/docs/fips/SecurityPolicy-1.2.pdf . Once you > read that, you'll understand what you have to do, and why. In fact, > go download it and read it right now -- I'll wait. > > ... > > ... > > ... > > Only after you've read the Security Policy (you HAVE read it, haven't > you? No? I'm serious. I can't stress enough that IT IS ABSOLUTELY > VITAL THAT YOU READ THE SECURITY POLICY!!!!)... open a command prompt > and set up your environment, by doing vcvars32.bat. Then, untar the > source code for the module -- this can be done in another application, > such as 7zip, but LEAVE YOUR ORIGINAL WINDOW OPEN. Then, cd to the > openssl-fips-1.2.0\ directory, and then type the following: > > ms\do_fips no-asm > > Do NOT run Configure. 'ms\do_fips no-asm' will do everything for you. > > Again: Read the Security Policy. It includes these instructions, > though perhaps not quite as well spelled-out. (In order to understand > what it means to have an OpenSSL that can claim FIPS validation, you > need to read it. It's only 16 pages long, and the instructions are on > page 14.) > > -Kyle H > > On Wed, Mar 25, 2009 at 10:56 PM, Kyle Hamilton <aerow...@gmail.com> wrote: >> If you're on Windows, you MUST use either "ms\do_fips" or "ms\do_fips >> no-asm". >> >> -Kyle H >> >> On Wed, Mar 25, 2009 at 8:40 PM, Uma G. Nayak <uma_na...@mindtree.com> wrote: >>> Hi, >>> >>> 1) Where should the no-asm option be given? With the Configure command or >>> the do_fips command? I have used no-asm with Configure command. >>> >>> I have built as follows: >>> >>> perl Configure VC-WIN32 no-asm >>> vcvars32.bat >>> ms\do_fips >>> >>> 2) out32dll\fips_test_suite gives the following: >>> >>> FIPS-mode test application >>> >>> 1. Non-Approved cryptographic operation test... >>> a. Included algorithm (D-H)...successful >>> 2. Automatic power-up self >>> test...ERROR:2d06c071:lib=45,func=108,reason=113:file=.\fips\fips.c:line=274: >>> FAILED! >>> >>> >>> Uma >>> >>> -----Original Message----- >>> From: owner-openssl-us...@openssl.org >>> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson >>> Sent: Wednesday, March 25, 2009 11:56 PM >>> To: openssl-users@openssl.org >>> Subject: Re: Server crash while starting service >>> >>> On Thu, Mar 26, 2009, Uma G. Nayak wrote: >>> >>>> Still no luck :(. Is it that FIPS mode doesnt work on AMD processors? In >>>> the >>>> Security Policy pdf at >>>> https://www.openssl.org/docs/fips/SecurityPolicy-1.2.pdf 8 platforms on >>>> which the Module was tested are listed: >>>> >>>> U1 Linux x86 no-asm Linux.2.6.18_i686_gcc-4.1.2 (OpenSuSE 10.2) no-asm U2 >>>> Linux x86-64 no-asm Linux.2.6.20_x86-64_gcc-4.1.2 (OpenSuSE 10.2) U3 Linux >>>> x86 asm Linux.2.6.18_i686_gcc-4.1.2 (OpenSuSE 10.2) U4 Linux x86-64 asm >>>> Linux.2.6.20_x86-64_gcc-4.1.2 (OpenSuSE 10.2) W1 Windows x86 no-asm >>>> WinXP.SP2_i386_MSVC.8.0 no-asm W2 Windows x64 no-asm >>>> WinXP.SP2_x86-64_MSVC.8.0 no-asm W3 Windows x86 asm WinXP.SP2_i386_MSVC.8.0 >>>> NASM, SSE2 W4 Windows x64 asm WinXP.SP2_x86-64_MSVC.8.0 >>>> >>>> Does this mean that this module works only on Pentium platforms? What if i >>>> want to run an application in FIPS mode on a say, AMD machine without SSE2 >>>> support? Or this 'SSE2 support' ends at lower Pentium machines? >>>> >>> >>> Did you use the correct command to build the validated tarball i.e.: >>> >>> ms\fo_fips no-asm >>> >>> What happens when you do. >>> >>> out32dll\fips_test_suite >>> >>> afterwards? I don't have a non-sse2 WIN32 platform to test on. >>> >>> Steve. >>> -- >>> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage >>> OpenSSL project core developer and freelance consultant. >>> Homepage: http://www.drh-consultancy.demon.co.uk >>> ______________________________________________________________________ >>> OpenSSL Project http://www.openssl.org >>> User Support Mailing List openssl-us...@openssl.org >>> Automated List Manager majord...@openssl.org >>> >>> http://www.mindtree.com/email/disclaimer.html >>> ______________________________________________________________________ >>> OpenSSL Project http://www.openssl.org >>> User Support Mailing List openssl-us...@openssl.org >>> Automated List Manager majord...@openssl.org >>> >> > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > > http://www.mindtree.com/email/disclaimer.html > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-us...@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
