That was very clear and great help Kyle!! Even though I had spent time on Security Policy earlier, the build procedure was not clear, atleast for me, until now.
If you wouldn't mind, could you answer one more question of mine? I want to use the libeay32.dll and ssleay32.dll from the above build in my application. Now, is it sufficient if I use the Openssl-fips-1.2 dlls or should I use it with Openssl-0.9.8j module? Because I had read about it in one of the replies in this forum, that Openssl-fips-1.2 is to be used in conjunction with Openssl-0.9.8j. If this is true, should I build Openssl-0.9.8j using Openssl-fips-1.2 libraries? Again what is the build procedure for this? I used to follow the below steps for Openssl-0.9.8j: perl Configure VC-WIN32 no-asm fips --with-fipslibdir=<path of Openssl-fips-1.2 dlls> ms\do_ms vcvars32.bat nmake -f ms\ntdll.mak Regards, Uma -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Kyle Hamilton Sent: Thursday, March 26, 2009 11:42 AM To: openssl-users@openssl.org Subject: Re: Server crash while starting service More specifically: (and before anyone berates me: I apologize for the snarkiness of the rest of this post, I'm only trying to make a point with a bit of humor.) Delete the current FIPS source tree you've got. It's not viable, and it can never create any module that can claim FIPS validation. Just wipe it. Then, download and read the Security Policy. It's only 16 pages long, not big at all, and you get it from http://www.openssl.org/docs/fips/SecurityPolicy-1.2.pdf . Once you read that, you'll understand what you have to do, and why. In fact, go download it and read it right now -- I'll wait. ... ... ... Only after you've read the Security Policy (you HAVE read it, haven't you? No? I'm serious. I can't stress enough that IT IS ABSOLUTELY VITAL THAT YOU READ THE SECURITY POLICY!!!!)... open a command prompt and set up your environment, by doing vcvars32.bat. Then, untar the source code for the module -- this can be done in another application, such as 7zip, but LEAVE YOUR ORIGINAL WINDOW OPEN. Then, cd to the openssl-fips-1.2.0\ directory, and then type the following: ms\do_fips no-asm Do NOT run Configure. 'ms\do_fips no-asm' will do everything for you. Again: Read the Security Policy. It includes these instructions, though perhaps not quite as well spelled-out. (In order to understand what it means to have an OpenSSL that can claim FIPS validation, you need to read it. It's only 16 pages long, and the instructions are on page 14.) -Kyle H On Wed, Mar 25, 2009 at 10:56 PM, Kyle Hamilton <aerow...@gmail.com> wrote: > If you're on Windows, you MUST use either "ms\do_fips" or "ms\do_fips no-asm". > > -Kyle H > > On Wed, Mar 25, 2009 at 8:40 PM, Uma G. Nayak <uma_na...@mindtree.com> wrote: >> Hi, >> >> 1) Where should the no-asm option be given? With the Configure command or >> the do_fips command? I have used no-asm with Configure command. >> >> I have built as follows: >> >> perl Configure VC-WIN32 no-asm >> vcvars32.bat >> ms\do_fips >> >> 2) out32dll\fips_test_suite gives the following: >> >> FIPS-mode test application >> >> 1. Non-Approved cryptographic operation test... >> a. Included algorithm (D-H)...successful >> 2. Automatic power-up self >> test...ERROR:2d06c071:lib=45,func=108,reason=113:file=.\fips\fips.c:line=274: >> FAILED! >> >> >> Uma >> >> -----Original Message----- >> From: owner-openssl-us...@openssl.org >> [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson >> Sent: Wednesday, March 25, 2009 11:56 PM >> To: openssl-users@openssl.org >> Subject: Re: Server crash while starting service >> >> On Thu, Mar 26, 2009, Uma G. Nayak wrote: >> >>> Still no luck :(. Is it that FIPS mode doesnt work on AMD processors? In the >>> Security Policy pdf at >>> https://www.openssl.org/docs/fips/SecurityPolicy-1.2.pdf 8 platforms on >>> which the Module was tested are listed: >>> >>> U1 Linux x86 no-asm Linux.2.6.18_i686_gcc-4.1.2 (OpenSuSE 10.2) no-asm U2 >>> Linux x86-64 no-asm Linux.2.6.20_x86-64_gcc-4.1.2 (OpenSuSE 10.2) U3 Linux >>> x86 asm Linux.2.6.18_i686_gcc-4.1.2 (OpenSuSE 10.2) U4 Linux x86-64 asm >>> Linux.2.6.20_x86-64_gcc-4.1.2 (OpenSuSE 10.2) W1 Windows x86 no-asm >>> WinXP.SP2_i386_MSVC.8.0 no-asm W2 Windows x64 no-asm >>> WinXP.SP2_x86-64_MSVC.8.0 no-asm W3 Windows x86 asm WinXP.SP2_i386_MSVC.8.0 >>> NASM, SSE2 W4 Windows x64 asm WinXP.SP2_x86-64_MSVC.8.0 >>> >>> Does this mean that this module works only on Pentium platforms? What if i >>> want to run an application in FIPS mode on a say, AMD machine without SSE2 >>> support? Or this 'SSE2 support' ends at lower Pentium machines? >>> >> >> Did you use the correct command to build the validated tarball i.e.: >> >> ms\fo_fips no-asm >> >> What happens when you do. >> >> out32dll\fips_test_suite >> >> afterwards? I don't have a non-sse2 WIN32 platform to test on. >> >> Steve. >> -- >> Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage >> OpenSSL project core developer and freelance consultant. >> Homepage: http://www.drh-consultancy.demon.co.uk >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> >> http://www.mindtree.com/email/disclaimer.html >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org http://www.mindtree.com/email/disclaimer.html ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
