[openssl-users] OpenSSL Compile Issues (and general knowledge questions)

2015-03-27 Thread Lesley Kimmel 
All;

I'm an administrator/engineer responsible for compiling Apache with OpenSSL 
supporting FIPS mode. I've got a good process down that generally works. 
However, I am looking for a little help on some details because I am not a 
developer and am not about digging through the source code to figure out these 
issues.

a) I don't typically run 'make depend' and things seem to work. However, the 
OpenSSL compile wiki directs to run this command. What will this do for me?
b) I know that I can disable SSLv2 and SSLv3 via Apache itself but I see that 
there are options (no-ssl2, no-ssl3) that can be used during compilation of 
OpenSSL which will presumably disable them altogether. However, when compiling 
this way the 'make test' always fails with some useless error. For example, 
when compiling just with 'no-ssl2' I get the following:

../util/shlib_wrap.sh ./evp_extra_test
PASS
test SSL protocol
test ssl3 is forbidden in FIPS mode
*** IN FIPS MODE ***
Available compression methods:
  NONE
139934033385128:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in 
fips mode:ssl_lib.c:1716:
139934033385128:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in 
fips mode:ssl_lib.c:1716:
test ssl2 is forbidden in FIPS mode
Testing was requested for a disabled protocol. Skipping tests.
make[1]: *** [test_ssl] Error 1
make[1]: Leaving directory `/opt/apache_stage/httpd/srclib/openssl/test'
make: *** [tests] Error 2

Is this expected behavior? Is there any way to disable SSLv2/3 while still 
passing the tests? I feel that passing the tests is pretty important to my 
confidence in the final product.
  ___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] OpenSSL Compile Issues (and general knowledge questions)

2015-03-27 Thread John Foley 
The 'make depend' regenerates the dependencies for the makefiles. The 
dependencies will change depending on the configuration options you've 
passed to OpenSSL.  If you're new to using GNU make, here's a decent 
explanation:


http://make.mad-scientist.net/papers/advanced-auto-dependency-generation/

Your second question reflects a problem in the test/testssl script. This 
script is largely unaware of most configuration options (e.g. no-ssl3).  
This script is attempting to run the SSL3 unit tests even though you 
have omitted support for SSL3 in the library.  You may want to open a 
bug in the OpenSSL request tracker 
(https://www.openssl.org/support/rt.html).






On 03/27/2015 03:14 PM, Lesley Kimmel wrote:

All;

I'm an administrator/engineer responsible for compiling Apache with 
OpenSSL supporting FIPS mode. I've got a good process down that 
generally works. However, I am looking for a little help on some 
details because I am not a developer and am not about digging through 
the source code to figure out these issues.


a) I don't typically run 'make depend' and things seem to work. 
However, the OpenSSL compile wiki directs to run this command. What 
will this do for me?
b) I know that I can disable SSLv2 and SSLv3 via Apache itself but I 
see that there are options (no-ssl2, no-ssl3) that can be used during 
compilation of OpenSSL which will presumably disable them altogether. 
However, when compiling this way the 'make test' always fails with 
some useless error. For example, when compiling just with 'no-ssl2' I 
get the following:


../util/shlib_wrap.sh ./evp_extra_test
PASS
test SSL protocol
test ssl3 is forbidden in FIPS mode
*** IN FIPS MODE ***
Available compression methods:
  NONE
139934033385128:error:140A9129:SSL routines:SSL_CTX_new:only tls 
allowed in fips mode:ssl_lib.c:1716:
139934033385128:error:140A9129:SSL routines:SSL_CTX_new:only tls 
allowed in fips mode:ssl_lib.c:1716:

test ssl2 is forbidden in FIPS mode
Testing was requested for a disabled protocol. Skipping tests.
make[1]: *** [test_ssl] Error 1
make[1]: Leaving directory `/opt/apache_stage/httpd/srclib/openssl/test'
make: *** [tests] Error 2

Is this expected behavior? Is there any way to disable SSLv2/3 while 
still passing the tests? I feel that passing the tests is pretty 
important to my confidence in the final product.



___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users