BODY { font-family:Arial, Helvetica, sans-serif;font-size:12px; }
My 2-cents worth...
If you had to tweak ANYTHING then this is not a "FIPS-approved"
build.
Carl
On Thu 09/12/10 4:39 PM , Christopher A Hotchkiss
christopher.a.hotchk...@jpmchase.com sent:
To All,
I was able to get OpenSSL FIPS to build and run on Server 2008 R2 by
building on Server 2003 32bit.
I also had to tweak the msntdll.mk file and add "/FIXED" on lines 33
and 76.
Christopher A Hotchkiss
JPMorgan Chase & Co. - Navy Cash Application Developer
Email
-----Original Message-----
From: owner-openssl-us...@openssl.org [] On Behalf Of Christopher A
Hotchkiss
Sent: Monday, December 06, 2010 3:32 PM
To:
Subject: Problems building FIPS Openssl under Server 2008 R2
To whom it may concern,
I have been attempting to build a FIPS capable openssl using the
instructions in the User Guide. However I am getting the following
error while trying to run the fips validation of the archive:
c:buildopensslopenssl-0.9.8pout32dll>C:buildopensslopensslbinopenssl.exe
sha1 -hmac etaonrishdlcupfm
C:buildopenssl-fipsopenssl-fips-1.2.tar.gz
2848:error:2D06906E:FIPS
routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not
match:.fipsfips.c:238:
I found a thread on the dev list describing the use of the "/FIXED"
linker flag but that is not working either. Can anyone help? I have
included the steps I am following below:
Install Server 2008 R2 x64
Install Notepad++
Install .Net Framework 4
Install Windows SDK
Install the April 2005 x64 Platform SDK from MSDN
Install 7-zip
Install Gpg4win
Install ActivePerl
Create folder C:build
OpenSSL FIPS - Note do not under ANY circumstances edit any of the
openssl code/scripts/files during the fips build process
Start following http://www.openssl.org/docs/fips/UserGuide-1.2.pdf
[4] on page 25
Download http://www.openssl.org/source/openssl-fips-1.2.tar.gz [5]
to C:buildopenssl-fips
Download http://www.openssl.org/source/openssl-fips-1.2.tar.gz.asc
[6] to C:buildopenssl-fips as well
Open a command prompt start->run->cmd
cd c:buildopenssl-fips
gpg openssl-fips-1.2.tar.gz.asc
It will complain about a missing public key. Check the reported Key
ID against Appendix A. If it doesn't match we have issues.
Next goto start->all programs->gpg4win->GPA
Click no to creating your own public key
At the top goto server->retrive keys and enter the key id that you
saw at the command prompt.
It should download a single key.
Go back to the command prompt and rerun the command
cd c:buildopenssl-fips
gpg openssl-fips-1.2.tar.gz.asc
It should report a good signature and also complain that the key
isn't trusted.
Validate the primary key fingerprint against Appendix A of the user
guide.
Extract the tar.gz file to C:buildopenssl-fipsopenssl-fips-1.2
Make sure to keep the tar.gz around since it will be needed for
further validation after the build.
Start at command prompt using the Microsoft Platform SDK Server 2003
x64 Retail Build Shortcut
cd c:buildopenssl-fipsopenssl-fips-1.2
msdo_fips no-asm
Once that completes create the following folder
c:buildopenssl-fipslib
Copy to following files to that folder:
c:buildopenssl-fipsopenssl-fips-1.2out32dllfips_premain.c
c:buildopenssl-fipsopenssl-fips-1.2out32dllfips_premain.c.sha1
c:buildopenssl-fipsopenssl-fips-1.2out32dllfipscanister.lib
c:buildopenssl-fipsopenssl-fips-1.2out32dllfipscanister.lib.sha1
Build Normal OpenSSL
Make a folder named c:buildopenssl
Download the latest 0.9.8b < x < 1.0.0 openssl source from here:
http://www.openssl.org/source/openssl-0.9.8p.tar.gz [7] to
c:buildopenssl
Extract the tar.gz file to C:buildopensslopenssl-0.9.8p
Start at command prompt using the Microsoft Platform SDK Server 2003
x64 Retail Build Shortcut
cd C:buildopensslopenssl-0.9.8p
perl Configure VC-WIN64A fips
--with-fipslibdir=c:buildopenssl-fipslib
msdo_win64a
In file C:buildopensslopenssl-0.9.8pmsntdll.mak lines 33 and 76
add "/FIXED" to the end of the line.
Go back to the command prompt and run
nmake -f msntdll.mak
cd out32dll
..mstest
Once that completes create the following folders
c:buildopensslopenssl
c:buildopensslopensslbin
c:buildopensslopenssllib
c:buildopensslopensslinclude
c:buildopensslopensslincludeopenssl
Copy to following files to their matching folders:
inc32openssl* - c:opensslincludeopenssl
out32dllssleay32.lib - c:openssllib
out32dlllibeay32.lib - c:openssllib
out32dllssleay32.dll - c:opensslbin
out32dlllibeay32.dll - c:opensslbin
out32dllopenssl.exe - c:opensslbin
FIPS Validate the openssl-fips download
Open a command prompt and run the following
set OPENSSL_FIPS=1;
C:buildopensslopensslbinopenssl.exe sha1 -hmac etaonrishdlcupfm
C:buildopenssl-fipsopenssl-fips-1.2.tar.gz
Can someone please help?
Christopher A Hotchkiss
JPMorgan Chase & Co.
This communication is for informational purposes only. It is not
intended as an offer or solicitation for the purchase or sale of
any financial instrument or as an official confirmation of any
transaction. All market prices, data and other information are not
warranted as to completeness or accuracy and are subject to change
without notice. Any comments or statements made herein do not
necessarily reflect those of JPMorgan Chase & Co., its subsidiaries
and affiliates.
This transmission may contain information that is privileged,
confidential, legally privileged, and/or exempt from disclosure
under applicable law. If you are not the intended recipient, you
are hereby notified that any disclosure, copying, distribution, or
use of the information contained herein (including any reliance
thereon) is STRICTLY PROHIBITED. Although this transmission and any
attachments are believed to be free of any virus or other defect
that might affect any computer system into which it is received and
opened, it is the responsibility of the recipient to ensure that it
is virus free and no responsibility is accepted by JPMorgan Chase &
Co., its subsidiaries and affiliates, as applicable, for any loss
or damage arising in any way from its use. If you received this
transmission in error, please immediately contact the sender and
destroy the material in its entirety, whether in electronic or hard
copy format. Thank you.
Please refer to http://www.jpmorgan.com/pages/disclosures [8] for
disclosures relating to European legal entities.
______________________________________________________________________
OpenSSL Project http://www.openssl.org [9]
User Support Mailing List
Automated List Manager
______________________________________________________________________
OpenSSL Project http://www.openssl.org [12]
User Support Mailing List
Automated List Manager
Links:
------
[4]
http://webmail.keycomm.co.uk/parse.php?redirect=http%3A%2F%2Fwww.openssl.org%2Fdocs%2Ffips%2FUserGuide-1.2.pdf
[5]
http://webmail.keycomm.co.uk/parse.php?redirect=http%3A%2F%2Fwww.openssl.org%2Fsource%2Fopenssl-fips-1.2.tar.gz
[6]
http://webmail.keycomm.co.uk/parse.php?redirect=http%3A%2F%2Fwww.openssl.org%2Fsource%2Fopenssl-fips-1.2.tar.gz.asc
[7]
http://webmail.keycomm.co.uk/parse.php?redirect=http%3A%2F%2Fwww.openssl.org%2Fsource%2Fopenssl-0.9.8p.tar.gz
[8]
http://webmail.keycomm.co.uk/parse.php?redirect=http%3A%2F%2Fwww.jpmorgan.com%2Fpages%2Fdisclosures
[9]
http://webmail.keycomm.co.uk/parse.php?redirect=http%3A%2F%2Fwww.openssl.org
[12]
http://webmail.keycomm.co.uk/parse.php?redirect=http%3A%2F%2Fwww.openssl.org
