I think this is what you should be doing:
1) build openssl-fips-1.1.1
./config fips
make
make install
2) build openssl-0.9.7m
./config fips --with-fipslibdir=/usr/local/ssl/lib \
--openssldir=/etc/ssl --prefix=/usr zlib-dynamic \
no-idea no-mdc2 no-rc5
make depend
make
make install
You can add other no-xxx entries to exclude algorithms you don't want in the
openssl-0.9.7m build when running in non-FIPS mode. When you put
openssl-0.9.7m into FIPS mode, then you are programmatically restricted to the
FIPS approved algorithms.
Bill
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Carlo Milono
Sent: June 1, 2007 1:09 AM
To: openssl-users@openssl.org
Subject: Q's on making 0.9.8e with FIPS 1.1.1 and no-cipher/enable-cipher
On a Linux AS4 machine, I was able to successfully build both 0.9.8.e and FIPS
1.1.1 and have both pass all tests :-)
The VERSION in the FIPS Makefile is different than the version of the base
OpenSSL, and the only way to change the output of "openssl version" is to
change the header file. I've done that to reflect the base (23 Feb 2007) so
that now when I execute "openssl version" it reflects both the base and the
fact that it is linked with the FIPS module.
I've been told that I need to use the same version of OpenSSL that is reflected
in the base - i.e., I cannot use 0.9.8e. I don't think this is correct as the
FIPS 1.1.1 has been quite stable from what I can see, and that the FIPS
certificate is for the FIPS module independent of the base. Is this a correct
interpretation?
Next, due to export regulations, we don't want any ciphers in this build that
weren't in the previous builds, so I executed a "./config no-idea
no-EXP1024..." and several others that were "top level". I don't want to muck
around in the build/release area to copy any configuration files at this time
(don't ask why) - I'm trying to build a compliant FIPS-based OpenSSL on my own.
It didn't seem to work for "no-idea" and some of the others. I'm curious how
I can validate the "./config" without having to completely read through the
config ->CONFIGURATION -> Makefile chain.
Next, aside from the top level ciphers, I want to eliminate specific ones.
Here is my list:
IDEA - patent - remove through config (doesn't work?!)
DES-CBC3-MD5 - SSLv2 cipher - remove per our policy (can't specify
no-DES-CBC3-MD5)
DES-CBC-MD5 - SSLv2 cipher - remove per our policy (can't remove for same as
above)
Alternate Export-class ciphers:
RC2-CBC-MD5 (no-RC2 works)
DHE-DSS-RC4-SHA (need to keep DHE top level)
EXP1024-*-*-* (no-EXP1024 seems to work)
EXP-RC2-CBC-MD5 (need to keep some EXP-*)
EXP-RC4-CBC-MD5 (same as above)
Odd One:
RC4-64-MD5 - not listed in any OpenSSL docs I've found (need to keep some RC4)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
