Use of the FIPS OpenSSL is a mandated thing and not just something that we are looking to do for the fun of it. In fact, the base OpenSSL was working fine using the "FIPS AES 256 encryption" in a non "FIPS Certified" mode.
-----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Steve Marquess Sent: Thursday, July 08, 2010 2:21 PM To: openssl-users@openssl.org Subject: Re: RPMBuild for FIPS OpenSSL Mark Parr wrote: > > First, let me say that this is my first attempt to install any version > of the OpenSSL other than what gets distributed w/ the Linux OS and > any updates that are provided via subscription thereafter. It is also > my first attempt at enabling the FIPS option. > > > > On a SUSE 10 SP2 release, I have successfully installed OpenSSL 0.9.8o > and created the RPM files to replace the ones installed w/ the load of > the Operating System. The RPM process replaced the base OS OpenSSL > release level w/ the latest version. (The .spec file complained about > a lack of a License tag and the existence of a Copyright tag but I > added one and removed the other.) > > > > I then loaded the openssl-fips-1.2.tar.gz file into a different > directory and attempted to create a RPM install for it as well but > have hit some issues. First off, rpmbuild complained that it could > not find the openssl-0.9.8f.tar.gz file in /usr/src/packages/SOURCES. > I found and changed the version information in the .spec file to > version 0.9.8o since that tar.gz file was in the given directory. > > > > Executing the command: > > > > smicro1:~/openssl/openssl-fips-1.2 # rpmbuild -ba ./openssl.spec > > > > runs for awhile until it eventually reports the following: > > > > + cd /usr/src/packages/BUILD > > > + cd > openssl-0.9.8o > > > + > DOCDIR=/var/tmp/openssl-0.9.8o-root/usr/share/doc/packages/openssl-doc > > > + export DOCDIR > > > + rm -rf > /var/tmp/openssl-0.9.8o-root/usr/share/doc/packages/openssl-doc > > + /bin/mkdir -p > /var/tmp/openssl-0.9.8o-root/usr/share/doc/packages/openssl-doc > > + cp -pr CHANGES CHANGES.SSLeay LICENSE NEWS README > /var/tmp/openssl-0.9.8o-root > > /usr/share/doc/packages/openssl-doc > > > + cp -pr doc > /var/tmp/openssl-0.9.8o-root/usr/share/doc/packages/openssl-doc > > + exit > 0 > > Finding Provides: /usr/lib/rpm/find-provides > openssl > > Finding Requires: /usr/lib/rpm/find-requires > openssl > > Finding Supplements: /usr/lib/rpm/find-supplements > openssl > > Requires(rpmlib): rpmlib(PayloadFilesHavePrefix) <= 4.0-1 > rpmlib(CompressedFileN > > ames) <= > 3.0.4-1 > > Requires: > openssl > > Checking for unpackaged file(s): /usr/lib/rpm/check-files > /var/tmp/openssl-0.9.8 > > o-root > > > error: Installed (but unpackaged) file(s) > found: > > > /usr/lib/engines/lib4758cca.so > > > > /usr/lib/engines/libaep.so > > > > /usr/lib/engines/libatalla.so > > > /usr/lib/engines/libcapi.so > > > > /usr/lib/engines/libchil.so > > > /usr/lib/engines/libcswift.so > > /usr/lib/engines/libgmp.so > > /usr/lib/engines/libnuron.so > > /usr/lib/engines/libsureware.so > > /usr/lib/engines/libubsec.so > > /usr/lib/pkgconfig/libcrypto.pc > > /usr/lib/pkgconfig/libssl.pc > > > > > > RPM build errors: > > Installed (but unpackaged) file(s) found: > > /usr/lib/engines/lib4758cca.so > > /usr/lib/engines/libaep.so > > /usr/lib/engines/libatalla.so > > /usr/lib/engines/libcapi.so > > /usr/lib/engines/libchil.so > > /usr/lib/engines/libcswift.so > > /usr/lib/engines/libgmp.so > > /usr/lib/engines/libnuron.so > > /usr/lib/engines/libsureware.so > > /usr/lib/engines/libubsec.so > > /usr/lib/pkgconfig/libcrypto.pc > > /usr/lib/pkgconfig/libssl.pc > > smicro1:~/openssl/openssl-fips-1.2 # > > > > Can the FIPS compliant OpenSSL be built as a RPM? If so, what am I > missing to complete it properly? > I haven't actually tried using rpmbuild to generate the OpenSSL FIPS Object Module but don't see any reason why that would not be possible in the narrow technical sense of starting with a spec file and saying "hey, here's a fipscanister.o file!". However, I think you need to step back and think about your objectives. The only reason to fool with the FIPS module in the first place is because you have to, as a policy mandate or to sell to customers subject to a policy mandate. Absent such a mandate there is no technical advantage to the FIPS module versus the regular unadorned OpenSSL library -- performance is no better (worse if you include the POST step) and it is not more secure in any real world sense (in fact it is operationally far less secure if you factor in the near impossibility of deploying vulnerability fixes). So, you're building the FIPS module because you want to satisfy a mandate for a FIPS 140-2 validated module. That is the decisive factor that should drive your build process. So build that validated module *once*, carefully (as described in the Security Policy and User Guide, http://www.openssl.org/docs/fips/), and then use that one binary file for all your subsequent applications. You will want to keep a paper trail to prove you followed the peculiar and specific requirements of the Security Policy for generating the Module. IMHO there is really no point in trying to build it from source again and again. -Steve M. -- Steve Marquess The OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 USA +1 877-673-6775 marqu...@opensslfoundation.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
