I’m sorry I wasn’t clear. The tweak was done during the second phase of the build, where you link the fipscanister to a more recent OpenSSL. The fips-1.2 build phase was untweaked. So I think we are compliant.
Christopher A Hotchkiss JPMorgan Chase & Co. - Navy Cash Application Developer Email christopher.a.hotchk...@jpmchase.com<mailto:prashant.a.agra...@chase.com> From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of carlyo...@keycomm.co.uk Sent: Thursday, December 09, 2010 11:50 AM To: openssl-users@openssl.org Subject: Re: RE: Problems building FIPS Openssl under Server 2008 R2 My 2-cents worth... If you had to tweak ANYTHING then this is not a "FIPS-approved" build. Carl On Thu 09/12/10 4:39 PM , Christopher A Hotchkiss christopher.a.hotchk...@jpmchase.com sent: To All, I was able to get OpenSSL FIPS to build and run on Server 2008 R2 by building on Server 2003 32bit. I also had to tweak the ms\ntdll.mk file and add "/FIXED" on lines 33 and 76. Christopher A Hotchkiss JPMorgan Chase & Co. - Navy Cash Application Developer Email christopher.a.hotchk...@jpmchase.com<javascript:top.opencompose('christopher.a.hotchk...@jpmchase.com','','','')> -----Original Message----- From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org<javascript:top.opencompose('owner-openssl-us...@openssl.org','','','')>] On Behalf Of Christopher A Hotchkiss Sent: Monday, December 06, 2010 3:32 PM To: openssl-users@openssl.org<javascript:top.opencompose('openssl-users@openssl.org','','','')> Subject: Problems building FIPS Openssl under Server 2008 R2 To whom it may concern, I have been attempting to build a FIPS capable openssl using the instructions in the User Guide. However I am getting the following error while trying to run the fips validation of the archive: c:\build\openssl\openssl-0.9.8p\out32dll>C:\build\openssl\openssl\bin\openssl.exe sha1 -hmac etaonrishdlcupfm \ C:\build\openssl-fips\openssl-fips-1.2.tar.gz 2848:error:2D06906E:FIPS routines:FIPS_CHECK_INCORE_FINGERPRINT:fingerprint does not match:.\fips\fips.c:238: I found a thread on the dev list describing the use of the "/FIXED" linker flag but that is not working either. Can anyone help? I have included the steps I am following below: Install Server 2008 R2 x64 Install Notepad++ Install .Net Framework 4 Install Windows SDK Install the April 2005 x64 Platform SDK from MSDN Install 7-zip Install Gpg4win Install ActivePerl Create folder C:\build OpenSSL FIPS - Note do not under ANY circumstances edit any of the openssl code/scripts/files during the fips build process Start following http://www.openssl.org/docs/fips/UserGuide-1.2.pdf<parse.php?redirect=http%3A%2F%2Fwww.openssl.org%2Fdocs%2Ffips%2FUserGuide-1.2.pdf> on page 25 Download http://www.openssl.org/source/openssl-fips-1.2.tar.gz<parse.php?redirect=http%3A%2F%2Fwww.openssl.org%2Fsource%2Fopenssl-fips-1.2.tar.gz> to C:\build\openssl-fips Download http://www.openssl.org/source/openssl-fips-1.2.tar.gz.asc<parse.php?redirect=http%3A%2F%2Fwww.openssl.org%2Fsource%2Fopenssl-fips-1.2.tar.gz.asc> to C:\build\openssl-fips as well Open a command prompt start->run->cmd cd c:\build\openssl-fips gpg openssl-fips-1.2.tar.gz.asc It will complain about a missing public key. Check the reported Key ID against Appendix A. If it doesn't match we have issues. Next goto start->all programs->gpg4win->GPA Click no to creating your own public key At the top goto server->retrive keys and enter the key id that you saw at the command prompt. It should download a single key. Go back to the command prompt and rerun the command cd c:\build\openssl-fips gpg openssl-fips-1.2.tar.gz.asc It should report a good signature and also complain that the key isn't trusted. Validate the primary key fingerprint against Appendix A of the user guide. Extract the tar.gz file to C:\build\openssl-fips\openssl-fips-1.2 Make sure to keep the tar.gz around since it will be needed for further validation after the build. Start at command prompt using the Microsoft Platform SDK Server 2003 x64 Retail Build Shortcut cd c:\build\openssl-fips\openssl-fips-1.2 ms\do_fips no-asm Once that completes create the following folder c:\build\openssl-fips\lib Copy to following files to that folder: c:\build\openssl-fips\openssl-fips-1.2\out32dll\fips_premain.c c:\build\openssl-fips\openssl-fips-1.2\out32dll\fips_premain.c.sha1 c:\build\openssl-fips\openssl-fips-1.2\out32dll\fipscanister.lib c:\build\openssl-fips\openssl-fips-1.2\out32dll\fipscanister.lib.sha1 Build Normal OpenSSL Make a folder named c:\build\openssl Download the latest 0.9.8b < x < 1.0.0 openssl source from here: http://www.openssl.org/source/openssl-0.9.8p.tar.gz<parse.php?redirect=http%3A%2F%2Fwww.openssl.org%2Fsource%2Fopenssl-0.9.8p.tar.gz> to c:\build\openssl Extract the tar.gz file to C:\build\openssl\openssl-0.9.8p Start at command prompt using the Microsoft Platform SDK Server 2003 x64 Retail Build Shortcut cd C:\build\openssl\openssl-0.9.8p perl Configure VC-WIN64A fips --with-fipslibdir=c:\build\openssl-fips\lib ms\do_win64a In file C:\build\openssl\openssl-0.9.8p\ms\ntdll.mak lines 33 and 76 add "/FIXED" to the end of the line. Go back to the command prompt and run nmake -f ms\ntdll.mak cd out32dll ..\ms\test Once that completes create the following folders c:\build\openssl\openssl c:\build\openssl\openssl\bin c:\build\openssl\openssl\lib c:\build\openssl\openssl\include c:\build\openssl\openssl\include\openssl Copy to following files to their matching folders: inc32\openssl\* - c:\openssl\include\openssl out32dll\ssleay32.lib - c:\openssl\lib out32dll\libeay32.lib - c:\openssl\lib out32dll\ssleay32.dll - c:\openssl\bin out32dll\libeay32.dll - c:\openssl\bin out32dll\openssl.exe - c:\openssl\bin FIPS Validate the openssl-fips download Open a command prompt and run the following set OPENSSL_FIPS=1; C:\build\openssl\openssl\bin\openssl.exe sha1 -hmac etaonrishdlcupfm C:\build\openssl-fips\openssl-fips-1.2.tar.gz Can someone please help? Christopher A Hotchkiss JPMorgan Chase & Co. This communication is for informational purposes only. It is not intended as an offer or solicitation for the purchase or sale of any financial instrument or as an official confirmation of any transaction. All market prices, data and other information are not warranted as to completeness or accuracy and are subject to change without notice. Any comments or statements made herein do not necessarily reflect those of JPMorgan Chase & Co., its subsidiaries and affiliates. This transmission may contain information that is privileged, confidential, legally privileged, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. Although this transmission and any attachments are believed to be free of any virus or other defect that might affect any computer system into which it is received and opened, it is the responsibility of the recipient to ensure that it is virus free and no responsibility is accepted by JPMorgan Chase & Co., its subsidiaries and affiliates, as applicable, for any loss or damage arising in any way from its use. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you. Please refer to http://www.jpmorgan.com/pages/disclosures<parse.php?redirect=http%3A%2F%2Fwww.jpmorgan.com%2Fpages%2Fdisclosures> for disclosures relating to European legal entities. ______________________________________________________________________ OpenSSL Project http://www.openssl.org<parse.php?redirect=http%3A%2F%2Fwww.openssl.org> User Support Mailing List openssl-users@openssl.org<javascript:top.opencompose('openssl-users@openssl.org','','','')> Automated List Manager majord...@openssl.org<javascript:top.opencompose('majord...@openssl.org','','','')> ______________________________________________________________________ OpenSSL Project http://www.openssl.org<parse.php?redirect=http%3A%2F%2Fwww.openssl.org> User Support Mailing List openssl-users@openssl.org<javascript:top.opencompose('openssl-users@openssl.org','','','')> Automated List Manager majord...@openssl.org<javascript:top.opencompose('majord...@openssl.org','','','')>
