> From: Jakob Bohm <jb-open...@wisemo.com> > Date: 09/09/2011 05:36 AM > Subject: Re: out range error compiling fips 1.2.3 > > On 9/8/2011 9:35 PM, Kenneth Goldman wrote: > > ... > > > > A second question. In researching this error, I saw someone compile with > > ./config fipscanisterbuild > > That's not in the INSTALL file. Do I need this?
> Hmm, in previous versions of the FIPS module, there was an > official document as part of the FIPS approval which restricted > the FIPS certification to use of a specific sequence of build steps, > one of which was that command. > > Maybe the "INSTALL" file is the standard OpenSSL INSTALL file and > not the true FIPS instructions, or maybe that command is only for > the old FIPS module for version 0.9.x and not for the new module for > version 1.0.x . > > Someone else on this list certainly knows which of those two applies. I think you're right that the INSTALL file is the standard one. The string "FIPS" never appears. IMHO, this is a bug in the FIPS tarball. For the record, - When one specifies fipscanisterbuild, a message appears that one should go to www.openssl.org/docs/fips - In that page, there's a pdf "SecurityPolicy" that suggests ./config fipscanisterbuild noasm This eliminates the 'out range' error. But them make test fails with this: ~~~~~~~~ echo test normal x509v1 certificate test normal x509v1 certificate sh ./tx509 2>/dev/null testing X509 conversions p -> d make[1]: *** [test_x509] Error 1 make[1]: Leaving directory `/home/kgold/Downloads/openssl-fips-1.2.3/test' make: *** [tests] Error 2
