On 09/07/2012 12:24 AM, TJ wrote:
> I'm doing a cross platform FIPS build (FIPSv2.0.1 with OpenSSL 1.01c).
>
> ./Configure no-asm no-hw linux-generic32
> make -j1 -C openssl-fips
Might as well stop right there as the resulting FIPS module isn't FIPS
140-2 validated. There is no point in using the FIPS module if you can't
claim, and don't require, validation; it has no inherent performance or
security advantages over regular OpenSSL (in fact it is technically
*inferior* in both respects).
As documented in the Security Policy you are constrained to
gunzip -c openssl-fips-2.0.1.tar.gz | tar xf -
cd openssl-fips-2.0.1
./config
make
make install
from an unmodified source distribution tarball obtained via a "secure
path" (i.e. snail-mailed CD). Deviate from that and the result is of no
value.
> seems to build ok and produces the fipscanister.o etc in the
> openssl-fips/fips directory. So far so good, but then
>
> ...
> <snipped path>/openssl-fips/fips/fipscanister.o: file not recognized:
> File format not recognised
> collect2: ld returned 1 exit status
No enough info to say. Why are you specifying --openssldir *and*
--with-fipsdir *and* --with-fipslibdir? At the most you should only need
to specify --openssldir and --with-fipsdir, if you've chosen to install
both the FIPS module and OpenSSL in non-standard locations.
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
