On Fri, Sep 09, 2011, Kenneth Goldman wrote: > > From: Jakob Bohm <jb-open...@wisemo.com> > > Date: 09/09/2011 05:36 AM > > Subject: Re: out range error compiling fips 1.2.3 > > > > On 9/8/2011 9:35 PM, Kenneth Goldman wrote: > > > ... > > > > > > A second question. In researching this error, I saw someone compile > with > > > ./config fipscanisterbuild > > > That's not in the INSTALL file. Do I need this? > > > Hmm, in previous versions of the FIPS module, there was an > > official document as part of the FIPS approval which restricted > > the FIPS certification to use of a specific sequence of build steps, > > one of which was that command. > > > > Maybe the "INSTALL" file is the standard OpenSSL INSTALL file and > > not the true FIPS instructions, or maybe that command is only for > > the old FIPS module for version 0.9.x and not for the new module for > > version 1.0.x . > > > > Someone else on this list certainly knows which of those two applies. > > I think you're right that the INSTALL file is the standard one. The > string > "FIPS" never appears. IMHO, this is a bug in the FIPS tarball. > > For the record, > > - When one specifies fipscanisterbuild, a message appears that one should > go to www.openssl.org/docs/fips > > - In that page, there's a pdf "SecurityPolicy" that suggests > > ./config fipscanisterbuild noasm > > This eliminates the 'out range' error. But them make test fails with > this: > > ~~~~~~~~ > > echo test normal x509v1 certificate > test normal x509v1 certificate > sh ./tx509 2>/dev/null > testing X509 conversions > p -> d > make[1]: *** [test_x509] Error 1 > make[1]: Leaving directory `/home/kgold/Downloads/openssl-fips-1.2.3/test' > make: *** [tests] Error 2 >
That's a known problem due to the ancient nature of the version of OpenSSL that comes with the FIPS tarball. If you link the module against OpenSSL 0.9.8r (the so called FIPS capable OpenSSL) it should work fine. For details see the user guide at: http://www.openssl.org/docs/fips/UserGuide-1.2.pdf Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
