On Sun, May 08, 2011, The Doctor wrote: > On Sun, May 08, 2011 at 02:02:59PM -0600, The Doctor wrote: > > Finally got fips to work, however > > > > 1) In either README or READ.FIPS, please state to compile FIPS, please use > > GNU make. BSD make was choking > > > > 2) openssl version -a yields > > > > OpenSSL 1.1.0-fips-dev xx XXX xxxx > > built on: Sun May 8 10:06:19 MDT 2011 > > platform: debug-bsdi-x86-elf > > options: bn(64,32) md2(int) rc4(4x,int) des(ptr,risc1,16,long) idea(int) > > blowfish(idx) > > compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS > > -pthread -D_THREAD_SAFE -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -g -O2 > > -Wall -DPERL5 -DL_ENDIAN -DTERMIOS -fomit-frame-pointer -O2 -Wall -g > > -DOPENSSL_EXPERIMENTAL_JPAKE -DOPENSSL_EXPERIMENTAL_STORE > > -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_GF2m > > -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM > > -DGHASH_ASM > > > > Please fix. > > Additional, > > In Apache 2.2 I get > > [Sun May 08 15:39:25 2011] [notice] Apache/2.2.17 (Unix) DAV/2 configured -- > res > uming normal operations > [Sun May 08 15:39:47 2011] [error] [client 127.0.0.1] Invalid method in > request > quit > [Sun May 08 16:28:56 2011] [notice] caught SIGTERM, shutting down > [Sun May 08 16:29:49 2011] [notice] Operating in SSL FIPS mode > [Sun May 08 16:29:49 2011] [error] Init: Skipping generating temporary 512 > bit R > SA private key in FIPS mode > [Sun May 08 16:29:49 2011] [error] Init: Skipping generating temporary 512 > bit D > H parameters in FIPS mode > [Sun May 08 16:29:49 2011] [warn] RSA server certificate CommonName (CN) > `ns2.nk > .ca' does NOT match server name!? > [Sun May 08 16:29:49 2011] [notice] suEXEC mechanism enabled (wrapper: > /usr/cont > rib/bin/suexec) > [Sun May 08 16:29:51 2011] [error] Init: Skipping generating temporary 512 > bit R > SA private key in FIPS mode > [Sun May 08 16:29:51 2011] [error] Init: Failed to generate temporary 1024 > bit R > SA private key > [Sun May 08 16:29:51 2011] [error] SSL Library Error: 755589263 > error:2D09608F:F > IPS routines:fips_check_rsa_prng:prng strength too low > Configuration Failed > [Sun May 08 16:31:18 2011] [notice] suEXEC mechanism enabled (wrapper: > /usr/cont > rib/bin/suexec) > [Sun May 08 16:31:20 2011] [notice] Digest: generating secret for digest > authent > ication ... > [Sun May 08 16:31:20 2011] [notice] Digest: done > [Sun May 08 16:31:20 2011] [notice] Apache/2.2.17 (Unix) DAV/2 configured -- > res > uming normal operations > > All right what needs to be fixed? > >
I'm surprised it gets that far. There is, as yet, no FIPS capable OpenSSL that works with the new validated module. Meaning you can run the tests in README.FIPS but you can't use regular applications in FIPS mode. I'm interested in what is causing this message though: > FIPS routines:fips_check_rsa_prng:prng strength too low I suspect that the OPENSSL_init() function isn't being called. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
