Mark Parr wrote:
First, let me say that this is my first attempt to install any version
of the OpenSSL other than what gets distributed w/ the Linux OS and
any updates that are provided via subscription thereafter. It is also
my first attempt at enabling the FIPS option.
On a SUSE 10 SP2 release, I have successfully installed OpenSSL 0.9.8o
and created the RPM files to replace the ones installed w/ the load of
the Operating System. The RPM process replaced the base OS OpenSSL
release level w/ the latest version. (The .spec file complained about
a lack of a License tag and the existence of a Copyright tag but I
added one and removed the other.)
I then loaded the openssl-fips-1.2.tar.gz file into a different
directory and attempted to create a RPM install for it as well but
have hit some issues. First off, rpmbuild complained that it could
not find the openssl-0.9.8f.tar.gz file in /usr/src/packages/SOURCES.
I found and changed the version information in the .spec file to
version 0.9.8o since that tar.gz file was in the given directory.
Executing the command:
smicro1:~/openssl/openssl-fips-1.2 # rpmbuild -ba ./openssl.spec
runs for awhile until it eventually reports the following:
+ cd /usr/src/packages/BUILD
+ cd
openssl-0.9.8o
+
DOCDIR=/var/tmp/openssl-0.9.8o-root/usr/share/doc/packages/openssl-doc
+ export DOCDIR
+ rm -rf
/var/tmp/openssl-0.9.8o-root/usr/share/doc/packages/openssl-doc
+ /bin/mkdir -p
/var/tmp/openssl-0.9.8o-root/usr/share/doc/packages/openssl-doc
+ cp -pr CHANGES CHANGES.SSLeay LICENSE NEWS README
/var/tmp/openssl-0.9.8o-root
/usr/share/doc/packages/openssl-doc
+ cp -pr doc
/var/tmp/openssl-0.9.8o-root/usr/share/doc/packages/openssl-doc
+ exit
0
Finding Provides: /usr/lib/rpm/find-provides
openssl
Finding Requires: /usr/lib/rpm/find-requires
openssl
Finding Supplements: /usr/lib/rpm/find-supplements
openssl
Requires(rpmlib): rpmlib(PayloadFilesHavePrefix) <= 4.0-1
rpmlib(CompressedFileN
ames) <=
3.0.4-1
Requires:
openssl
Checking for unpackaged file(s): /usr/lib/rpm/check-files
/var/tmp/openssl-0.9.8
o-root
error: Installed (but unpackaged) file(s)
found:
/usr/lib/engines/lib4758cca.so
/usr/lib/engines/libaep.so
/usr/lib/engines/libatalla.so
/usr/lib/engines/libcapi.so
/usr/lib/engines/libchil.so
/usr/lib/engines/libcswift.so
/usr/lib/engines/libgmp.so
/usr/lib/engines/libnuron.so
/usr/lib/engines/libsureware.so
/usr/lib/engines/libubsec.so
/usr/lib/pkgconfig/libcrypto.pc
/usr/lib/pkgconfig/libssl.pc
RPM build errors:
Installed (but unpackaged) file(s) found:
/usr/lib/engines/lib4758cca.so
/usr/lib/engines/libaep.so
/usr/lib/engines/libatalla.so
/usr/lib/engines/libcapi.so
/usr/lib/engines/libchil.so
/usr/lib/engines/libcswift.so
/usr/lib/engines/libgmp.so
/usr/lib/engines/libnuron.so
/usr/lib/engines/libsureware.so
/usr/lib/engines/libubsec.so
/usr/lib/pkgconfig/libcrypto.pc
/usr/lib/pkgconfig/libssl.pc
smicro1:~/openssl/openssl-fips-1.2 #
Can the FIPS compliant OpenSSL be built as a RPM? If so, what am I
missing to complete it properly?
I haven't actually tried using rpmbuild to generate the OpenSSL FIPS
Object Module but don't see any reason why that would not be possible in
the narrow technical sense of starting with a spec file and saying "hey,
here's a fipscanister.o file!".
However, I think you need to step back and think about your objectives.
The only reason to fool with the FIPS module in the first place is
because you have to, as a policy mandate or to sell to customers subject
to a policy mandate. Absent such a mandate there is no technical
advantage to the FIPS module versus the regular unadorned OpenSSL
library -- performance is no better (worse if you include the POST step)
and it is not more secure in any real world sense (in fact it is
operationally far less secure if you factor in the near impossibility of
deploying vulnerability fixes).
So, you're building the FIPS module because you want to satisfy a
mandate for a FIPS 140-2 validated module. That is the decisive factor
that should drive your build process. So build that validated module
*once*, carefully (as described in the Security Policy and User Guide,
http://www.openssl.org/docs/fips/), and then use that one binary file
for all your subsequent applications. You will want to keep a paper
trail to prove you followed the peculiar and specific requirements of
the Security Policy for generating the Module. IMHO there is really no
point in trying to build it from source again and again.
-Steve M.
--
Steve Marquess
The OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877-673-6775
marqu...@opensslfoundation.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
