My issue is resolved. I had to add the following before calling httpd
configure:
export CC=fipsld
export FIPSLD_CC=gcc
Thanks.
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery. NOTE: Regardless of content, this e-mail shall not operate to
bind CSC to any order or other contract unless pursuant to explicit
written agreement or government initiative expressly permitting the use of
e-mail for such purpose.
From: Jerry Blasdel/USA/CSC
To: Steve Marquess <marqu...@opensslfoundation.com>
Cc: openssl-users@openssl.org
Date: 12/20/2012 07:54 AM
Subject: Re: FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips
I modified the example slightly to fit our configuration.
The fips build may have worked. I get the following:
making install in fips/utl...
for i in fipsld fips_standalone_sha1 ; \
do \
echo "installing $i"; \
cp $i /usr/local/ssl/fips-2.0/bin/$i.new; \
chmod 755 /usr/local/ssl/fips-2.0/bin/$i.new; \
mv -f /usr/local/ssl/fips-2.0/bin/$i.new
/usr/local/ssl/fips-2.0/bin/$i; \
done
installing fipsld
installing fips_standalone_sha1
cp -p -f fipscanister.o fipscanister.o.sha1 \
fips_premain.c fips_premain.c.sha1 \
/usr/local/ssl/fips-2.0/lib/; \
chmod 0444 /usr/local/ssl/fips-2.0/lib/fips*
making install in test...
During the make depend for OpenSSL I get several warnings similar to this:
makedepend: warning: mdc2dgst.c: 69: #error MDC2 is disabled.
makedepend: warning: mdc2_one.c: 150: #error("Unrecognized compiler
protocol for variable argument lists")
Then, I get the following errors:
cc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -KPIC
-DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN
-DBN_DIV2W -DOPENSSL_BN_ASM_MONT -I/usr/local/ssl/fips-2.0/include
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM -c cmac.c
cc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -KPIC
-DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN
-DBN_DIV2W -DOPENSSL_BN_ASM_MONT -I/usr/local/ssl/fips-2.0/include
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM -c cm_ameth.c
cc -I.. -I../.. -I../modes -I../asn1 -I../evp -I../../include -KPIC
-DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H
-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN
-DBN_DIV2W -DOPENSSL_BN_ASM_MONT -I/usr/local/ssl/fips-2.0/include
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM -c cm_pmeth.c
ar r ../../libcrypto.a cmac.o cm_ameth.o cm_pmeth.o
/usr/ccs/bin/ranlib ../../libcrypto.a || echo Never mind.
if [ -n "libcrypto.so.1.0.0 libssl.so.1.0.0" ]; then \
(cd ..; make libcrypto.so.1.0.0); \
fi
[ -z "libcrypto" ] || cc -KPIC -DOPENSSL_PIC -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xtarget=ultra -xarch=v8plus -xO5
-xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DOPENSSL_BN_ASM_MONT
-I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
-DAES_ASM -DGHASH_ASM -Iinclude \
-DFINGERPRINT_PREMAIN_DSO_LOAD -o fips_premain_dso \
/usr/local/ssl/fips-2.0/lib/fips_premain.c
/usr/local/ssl/fips-2.0/lib/fipscanister.o \
libcrypto.a -lsocket -lnsl -ldl
ld: fatal: symbol 'bn_mul_mont_fpu' is multiply-defined:
(file /usr/local/ssl/fips-2.0/lib//fipscanister.o
type=FUNC; file libcrypto.a(sparcv9a-mont.o) type=FUNC);
ld: fatal: file processing errors. No output written to libcrypto.so.1.0.0
*** Error code 1
The following command caused the error:
if (/usr/local/ssl/fips-2.0/bin/fipsld -Wl,-V /dev/null 2>&1 | grep '^GNU
ld' )>/dev/null; then \
SHLIB_COMPAT=; SHLIB_SOVER=; if [ -n "1.0.0;" ]; then
prev=""; for v in `echo "1.0.0 ;" | cut -d';' -f1`; do
SHLIB_SOVER_NODOT=$v; SHLIB_SOVER=.$v; if [ -n "$prev" ]; then
SHLIB_COMPAT="$SHLIB_COMPAT .$prev"; fi; prev=$v; done; fi;
SHLIB=libcrypto.so; SHLIB_SUFFIX=; ALLSYMSFLAGS='-Wl,--whole-archive';
NOALLSYMSFLAGS='-Wl,--no-whole-archive'; SHAREDFLAGS="-KPIC -DOPENSSL_PIC
-DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xtarget=ultra
-xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W
-DOPENSSL_BN_ASM_MONT -I/usr/local/ssl/fips-2.0/include -DSHA1_ASM
-DSHA256_ASM -DSHA512_ASM -DAES_ASM -DGHASH_ASM -G -dy -z text -shared
-Wl,-Bsymbolic -Wl,-soname=$SHLIB$SHLIB_SOVER$SHLIB_SUFFIX"; \
else \
SHLIB_COMPAT=; SHLIB_SOVER=; if [ -n "1.0.0;" ]; then
prev=""; for v in `echo "1.0.0 ;" | cut -d';' -f1`; do
SHLIB_SOVER_NODOT=$v; SHLIB_SOVER=.$v; if [ -n "$prev" ]; then
SHLIB_COMPAT="$SHLIB_COMPAT .$prev"; fi; prev=$v; done; fi; \
MINUSZ='-z '; \
(/usr/local/ssl/fips-2.0/bin/fipsld -v 2>&1 | grep gcc) >
/dev/null && MINUSZ='-Wl,-z,'; \
SHLIB=libcrypto.so; \
SHLIB_SUFFIX=;\
ALLSYMSFLAGS="${MINUSZ}allextract"; \
NOALLSYMSFLAGS="${MINUSZ}defaultextract"; \
SHAREDFLAGS="-KPIC -DOPENSSL_PIC -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xtarget=ultra -xarch=v8plus -xO5
-xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DOPENSSL_BN_ASM_MONT
-I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
-DAES_ASM -DGHASH_ASM -G -dy -z text -h $SHLIB$SHLIB_SOVER$SHLIB_SUFFIX
-Wl,-Bsymbolic"; \
fi; \
SHOBJECTS="libcrypto.a "; ( :; LIBDEPS="${LIBDEPS:--L. -lsocket -lnsl
-ldl}"; SHAREDCMD="${SHAREDCMD:-/usr/local/ssl/fips-2.0/bin/fipsld}";
SHAREDFLAGS="${SHAREDFLAGS:--KPIC -DOPENSSL_PIC -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -xtarget=ultra -xarch=v8plus -xO5
-xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DOPENSSL_BN_ASM_MONT
-I/usr/local/ssl/fips-2.0/include -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM
-DAES_ASM -DGHASH_ASM -G -dy -z text}"; LIBPATH=`for x in $LIBDEPS; do
echo $x; done | sed -e 's/^ *-L//;t' -e d | uniq`; LIBPATH=`echo $LIBPATH
| sed -e 's/ /:/g'`; LD_LIBRARY_PATH=$LIBPATH:$LD_LIBRARY_PATH
${SHAREDCMD} ${SHAREDFLAGS} -o $SHLIB$SHLIB_SOVER$SHLIB_SUFFIX
$ALLSYMSFLAGS $SHOBJECTS $NOALLSYMSFLAGS $LIBDEPS ) && if [ -n
"$INHIBIT_SYMLINKS" ]; then :; else prev=$SHLIB$SHLIB_SOVER$SHLIB_SUFFIX;
if [ -n "$SHLIB_COMPAT" ]; then for x in $SHLIB_COMPAT; do ( :; rm -f
$SHLIB$x$SHLIB_SUFFIX; ln -s $prev $SHLIB$x$SHLIB_SUFFIX );
prev=$SHLIB$x$SHLIB_SUFFIX; done; fi; if [ -n "$SHLIB_SOVER" ]; then (
:; rm -f $SHLIB$SHLIB_SUFFIX; ln -s $prev $SHLIB$SHLIB_SUFFIX ); fi; fi
make: Fatal error: Command failed for target `link_a.solaris’
Any help is greatly appreciated.
This is a PRIVATE message. If you are not the intended recipient, please
delete without copying and kindly advise us by e-mail of the mistake in
delivery.
NOTE: Regardless of content, this e-mail shall not operate to bind CSC to
any order or other contract unless pursuant to explicit written agreement
or government initiative expressly permitting the use of e-mail for such
purpose.
From: Steve Marquess <marqu...@opensslfoundation.com>
To: openssl-users@openssl.org
Cc: Jerry Blasdel/USA/CSC@CSC
Date: 12/18/2012 09:21 AM
Subject: Re: FIPS enable Apache 2.4.3 with OpenSSL 1.0.1c-fips
On 12/18/2012 08:57 AM, Jerry Blasdel wrote:
> Steve,
>
> That was a typing error. I verified that I am building:
>
> Extracting OpenSSL Fips source...
> openssl-fips-2.0.1/...
>
> Extracting OpenSSL source...
> openssl-1.0.1c/ACKNOWLEDGMENTS...
>
>
> What steps can I take to help identify the problem with my FIPS capable
> built OpenSSL?
Well, start at the beginning. Have you tried building the "FIPS capable"
OpenSSL per section 4.2 and the examples in the User Guide?
Also see the example at:
http://opensslfoundation.com/fips/2.0/platforms/linux-native/Makefile
which should work in any Linux or Linux-like system (just do "make").
-Steve M.
--
Steve Marquess
OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
USA
+1 877 673 6775 s/b
+1 301 874 2571 direct
marqu...@opensslfoundation.com
marqu...@openssl.com
