date:20160210

[users@httpd] Renaming localhost

2016-02-10 Thread Raja

Hello,

I sometimes work in remote sites with no network. I have the same setup
on different machines and I need the server name to know dynamically
where to do changes, etc. 

I edited /etc/hosts to show
127.0.0.1 localhost somename

Now, with my Wifi off I am trying `http://somename` and it is not
connecting. If I turn my wifi on, it works. But I need it to work with
no connection. How can I resolve this?

Thanks!
Regards, Raja.


-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Renaming localhost

2016-02-10 Thread Mauricio Tavares

On Wed, Feb 10, 2016 at 4:57 AM, Raja  wrote:
> Hello,
>
> I sometimes work in remote sites with no network. I have the same setup
> on different machines and I need the server name to know dynamically
> where to do changes, etc.
>
> I edited /etc/hosts to show
> 127.0.0.1 localhost somename
>
> Now, with my Wifi off I am trying `http://somename` and it is not
> connecting. If I turn my wifi on, it works. But I need it to work with
> no connection. How can I resolve this?
>
  Check what your routing table looks like when wifi is off. Also,
can you ping it (and localhost) when wifi is off?

> Thanks!
> Regards, Raja.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to build Apache with FIPS mode capable?

2016-02-10 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rich,

On 2/9/16 6:21 PM, cloud force wrote:
> On Tue, Feb 9, 2016 at 2:59 PM, Christopher Schultz 
>  > wrote:
> 
> Rich,
> 
> On 2/9/16 4:09 PM, cloud force wrote:
>> Yes I do have* *some regulatory requirement to use FIPS and I
>> have built the FIPS capable OpenSSL lib.
> 
> Where is that library located on the disk?
> 
>> [Rich] The new libcrypto.so located in the same directory 
>> /lib/x86_64-linux-gnu/
> 
> 
> 
>> I tried to add the "SSLFIPS on" parameter to the httpd.conf
>> config file as suggested in the ssl_mod manual page, but the
>> httpd failed to start with errors which seemed to due to the fact
>> that my apache server was not compiled against an SSL library
>> which support the FIPS_mode flag.
> 
> Maybe you are getting the system-provided OpenSSL library and not
> the one you custom-built.
> 
>> I need helps with guidance of how to compile apache server with 
>> FIPS capable OpenSSL lib so that the Apache server can be
>> operating under the OpenSSL FIPS mode.
> 
> Recompiling httpd is never needed to switch-out a shared library.
> You just need to fix the way the OS loads things.
> 
>> [Rich] How do I do that?

That depends upon the answers to your various questions.

> What OS? What version of that OS? Architecture, etc.?
> 
>> [Rich] Ubuntu Linux 64 bit (version 12.04)
> 
> 
> How did you install httpd?
> 
>> [Rich] Httpd is packaged by Ubuntu as a package called apache2,
>> and I installed the apache2 package.

Good. Keep that package as it is.

> How did you install OpenSSL (originally)?
> 
>> [Rich] OpenSSL is also packaged by Ubuntu as a package. I
>> installed the original Ubuntu openssl package.

Okay. And that package is still installed and not broken?

> Did you build the FIPS-capable OpenSSL library yourself or did you
> get it from some other source?
> 
>> [Rich] I downloaded the FIPS modules source and built it with the
>> stock openssl library, and then installed the newly rebuild FIPS
>> capable openssl library. I was able to verify by using the FIPS
>> capable openssl lib, running the openssl command to generate a
>> MD5 checksum failed due to it's an non-approved FIPS algorithm.

Okay, good. IIRC, the "openssl" CLI is statically-linked so that will
always work as long as you use the full path to the FIPS-capable
openssl binary. Getting another program to load using the FIPS-capable
library takes a bit of work.

> Where is the FIPS-capable OpenSSL library on the disk?
> 
>> [Rich] The .so files are mostly under the directory
>> /lib/x86_64-linux-gnu/

Isn't that where the Ubuntu-packages libraries are as well?

What does this command show?

$ dpkg -L libssl1.0.0

(This will still work if you have OpenSSL 1.0.1.)

Where *exactly* are the FIPS-capable libraries you built? There should
be several .so files produced by the build. What are they and where
did you put them?

> How do you launch httpd?
> 
>> [Rich] Ubuntu uses upstart script to launch service like httpd. I
>> just ran the upstart script (service apache2 start) to start the
>> httpd.

Ultimately, this is going to involve you adjusting the LD_LIBRARY_PATH
environment variable to point to the place where your FIPS-capable
OpenSSL libraries are. But if you put them into the existing library
search path, you may have broken both your original OpenSSL
installation, plus the FIPS-capable libraries as well.

It would be best to keep the FIPS-capable libraries somewhere out of
the way where you won't confuse them with the package-installed ones.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla7VSQACgkQ9CaO5/Lv0PDqQACbBdzt3ek8ywxxUFgjhb8YXhf7
1gAAnRRHqsNIEuOmd6OFjewx3M7UWZsa
=JqxL
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to build Apache with FIPS mode capable?

2016-02-10 Thread cloud force

Hi Chris,

Please see my comments below.

Thanks,
Rich

On Wed, Feb 10, 2016 at 7:20 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Rich,
>
> On 2/9/16 6:21 PM, cloud force wrote:
> > On Tue, Feb 9, 2016 at 2:59 PM, Christopher Schultz
> >  > > wrote:
> >
> > Rich,
> >
> > On 2/9/16 4:09 PM, cloud force wrote:
> >> Yes I do have* *some regulatory requirement to use FIPS and I
> >> have built the FIPS capable OpenSSL lib.
> >
> > Where is that library located on the disk?
> >
> >> [Rich] The new libcrypto.so located in the same directory
> >> /lib/x86_64-linux-gnu/
> >
> >
> >
> >> I tried to add the "SSLFIPS on" parameter to the httpd.conf
> >> config file as suggested in the ssl_mod manual page, but the
> >> httpd failed to start with errors which seemed to due to the fact
> >> that my apache server was not compiled against an SSL library
> >> which support the FIPS_mode flag.
> >
> > Maybe you are getting the system-provided OpenSSL library and not
> > the one you custom-built.
> >
> >> I need helps with guidance of how to compile apache server with
> >> FIPS capable OpenSSL lib so that the Apache server can be
> >> operating under the OpenSSL FIPS mode.
> >
> > Recompiling httpd is never needed to switch-out a shared library.
> > You just need to fix the way the OS loads things.
> >
> >> [Rich] How do I do that?
>
> That depends upon the answers to your various questions.
>
> > What OS? What version of that OS? Architecture, etc.?
> >
> >> [Rich] Ubuntu Linux 64 bit (version 12.04)
> >
> >
> > How did you install httpd?
> >
> >> [Rich] Httpd is packaged by Ubuntu as a package called apache2,
> >> and I installed the apache2 package.
>
> Good. Keep that package as it is.
>
> > How did you install OpenSSL (originally)?
> >
> >> [Rich] OpenSSL is also packaged by Ubuntu as a package. I
> >> installed the original Ubuntu openssl package.
>
> Okay. And that package is still installed and not broken?
>
> > Did you build the FIPS-capable OpenSSL library yourself or did you
> > get it from some other source?
> >
> >> [Rich] I downloaded the FIPS modules source and built it with the
> >> stock openssl library, and then installed the newly rebuild FIPS
> >> capable openssl library. I was able to verify by using the FIPS
> >> capable openssl lib, running the openssl command to generate a
> >> MD5 checksum failed due to it's an non-approved FIPS algorithm.
>
> Okay, good. IIRC, the "openssl" CLI is statically-linked so that will
> always work as long as you use the full path to the FIPS-capable
> openssl binary. Getting another program to load using the FIPS-capable
> library takes a bit of work.
>
> > Where is the FIPS-capable OpenSSL library on the disk?
> >
> >> [Rich] The .so files are mostly under the directory
> >> /lib/x86_64-linux-gnu/
>
> Isn't that where the Ubuntu-packages libraries are as well?
>
[Rich] Yes, basically my newly built FIPS capable OpenSSL lib files
replaced the original Ubuntu installed ones.


>
> What does this command show?
>
> $ dpkg -L libssl1.0.0
>
> (This will still work if you have OpenSSL 1.0.1.)
>
> Where *exactly* are the FIPS-capable libraries you built? There should
> be several .so files produced by the build. What are they and where
> did you put them?
>
> > How do you launch httpd?
> >
> >> [Rich] Ubuntu uses upstart script to launch service like httpd. I
> >> just ran the upstart script (service apache2 start) to start the
> >> httpd.
>
> Ultimately, this is going to involve you adjusting the LD_LIBRARY_PATH
> environment variable to point to the place where your FIPS-capable
> OpenSSL libraries are. But if you put them into the existing library
> search path, you may have broken both your original OpenSSL
> installation, plus the FIPS-capable libraries as well.
>
[Rich] My understanding is, if I replace the Ubuntu installed OpenSSL lib
files with the FIPS capable version built by myself, as long as the
application which uses openssl (e.g. Apache server) doesn't explicitly
invoke FIPS_mode_set() API to enable FIPS mode, they will work pretty much
the same as there 's no FIPS.
>From the ssl_mod's doc it looks like I need to recomplile with some
different option so that it will allow Apache to invoke FIPS_mode_set API,
as I did find the FIPS_mode_set API got invoked somewhere in the stock
httpd source code. Is my understanding correct?

>
> It would be best to keep the FIPS-capable libraries somewhere out of
> the way where you won't confuse them with the package-installed ones.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAla7VSQACgkQ9CaO5/Lv0PDqQACbBdzt3ek8ywxxUFgjhb8YXhf7
> 1gAAnRRHqsNIEuOmd6OFjewx3M7UWZsa
> =JqxL
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail:

Re: [users@httpd] How to build Apache with FIPS mode capable?

2016-02-10 Thread Stormy


[Apologies for top-posting, and I've never used FIPS...]

Ubuntu 12.04 uses apache 2.2; the "out of the box" ssl.conf has the lines:

# enable only secure protocols: SSLv3 and TLSv1, but not SSLv2
SSLProtocol all -SSLv2

and [if I'm reading www.openssl.org correctly] FIPS is "v2"...

Best -- Paul


At 08:24 AM 2/10/2016 -0800, cloud force wrote:

Hi Chris,

Please see my comments below.

Thanks,
Rich

On Wed, Feb 10, 2016 at 7:20 AM, Christopher Schultz 
<ch...@christopherschultz.net> wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Rich,
On 2/9/16 6:21 PM, cloud force wrote:
> On Tue, Feb 9, 2016 at 2:59 PM, Christopher Schultz
> <ch...@christopherschultz.net
> > wrote:
>
> Rich,
>
> On 2/9/16 4:09 PM, cloud force wrote:
>> Yes I do have* *some regulatory requirement to use FIPS and I
>> have built the FIPS capable OpenSSL lib.
>
> Where is that library located on the disk?
>
>> [Rich] The new libcrypto.so located in the same directory
>> /lib/x86_64-linux-gnu/
>
>
>
>> I tried to add the "SSLFIPS on" parameter to the httpd.conf
>> config file as suggested in the ssl_mod manual page, but the
>> httpd failed to start with errors which seemed to due to the fact
>> that my apache server was not compiled against an SSL library
>> which support the FIPS_mode flag.
>
> Maybe you are getting the system-provided OpenSSL library and not
> the one you custom-built.
>
>> I need helps with guidance of how to compile apache server with
>> FIPS capable OpenSSL lib so that the Apache server can be
>> operating under the OpenSSL FIPS mode.
>
> Recompiling httpd is never needed to switch-out a shared library.
> You just need to fix the way the OS loads things.
>
>> [Rich] How do I do that?
That depends upon the answers to your various questions.
> What OS? What version of that OS? Architecture, etc.?
>
>> [Rich] Ubuntu Linux 64 bit (version 12.04)
>
>
> How did you install httpd?
>
>> [Rich] Httpd is packaged by Ubuntu as a package called apache2,
>> and I installed the apache2 package.
Good. Keep that package as it is.
> How did you install OpenSSL (originally)?
>
>> [Rich] OpenSSL is also packaged by Ubuntu as a package. I
>> installed the original Ubuntu openssl package.
Okay. And that package is still installed and not broken?
> Did you build the FIPS-capable OpenSSL library yourself or did you
> get it from some other source?
>
>> [Rich] I downloaded the FIPS modules source and built it with the
>> stock openssl library, and then installed the newly rebuild FIPS
>> capable openssl library. I was able to verify by using the FIPS
>> capable openssl lib, running the openssl command to generate a
>> MD5 checksum failed due to it's an non-approved FIPS algorithm.
Okay, good. IIRC, the "openssl" CLI is statically-linked so that will
always work as long as you use the full path to the FIPS-capable
openssl binary. Getting another program to load using the FIPS-capable
library takes a bit of work.
> Where is the FIPS-capable OpenSSL library on the disk?
>
>> [Rich] The .so files are mostly under the directory
>> /lib/x86_64-linux-gnu/
Isn't that where the Ubuntu-packages libraries are as well?

[Rich] Yes, basically my newly built FIPS capable OpenSSL lib files 
replaced the original Ubuntu installed ones.

Â
What does this command show?
$ dpkg -L libssl1.0.0
(This will still work if you have OpenSSL 1.0.1.)
Where *exactly* are the FIPS-capable libraries you built? There should
be several .so files produced by the build. What are they and where
did you put them?
> How do you launch httpd?
>
>> [Rich] Ubuntu uses upstart script to launch service like httpd. I
>> just ran the upstart script (service apache2 start) to start the
>> httpd.
Ultimately, this is going to involve you adjusting the LD_LIBRARY_PATH
environment variable to point to the place where your FIPS-capable
OpenSSL libraries are. But if you put them into the existing library
search path, you may have broken both your original OpenSSL
installation, plus the FIPS-capable libraries as well.

[Rich] My understanding is, if I replace the Ubuntu installed OpenSSL lib 
files with the FIPS capable version built by myself, as long as the 
application which uses openssl (e.g. Apache server) doesn't explicitly 
invoke FIPS_mode_set() API to enable FIPS mode, they will work pretty much 
the same as there 's no FIPS.
From the ssl_mod's doc it looks like I need to recomplile with some 
different option so that it will allow Apache to invoke FIPS_mode_set 
API, as I did find the FIPS_mode_set API got invoked somewhere in the 
stock httpd source code. Is my understanding correct?

It would be best to keep the FIPS-capable libraries somewhere out of
the way where you won't confuse them with the package-installed ones.
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird -

Re: [users@httpd] How to build Apache with FIPS mode capable?

2016-02-10 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rich,

On 2/10/16 11:24 AM, cloud force wrote:
> Hi Chris,
> 
> Please see my comments below.
> 
> Thanks, Rich
> 
> On Wed, Feb 10, 2016 at 7:20 AM, Christopher Schultz 
>  > wrote:
> 
> Rich,
> 
> On 2/9/16 6:21 PM, cloud force wrote:
>> On Tue, Feb 9, 2016 at 2:59 PM, Christopher Schultz 
>> >  
>> > >>
> wrote:
> 
>> Rich,
> 
>> On 2/9/16 4:09 PM, cloud force wrote:
>>> Yes I do have* *some regulatory requirement to use FIPS and I 
>>> have built the FIPS capable OpenSSL lib.
> 
>> Where is that library located on the disk?
> 
>>> [Rich] The new libcrypto.so located in the same directory 
>>> /lib/x86_64-linux-gnu/
> 
> 
> 
>>> I tried to add the "SSLFIPS on" parameter to the httpd.conf 
>>> config file as suggested in the ssl_mod manual page, but the 
>>> httpd failed to start with errors which seemed to due to the
>>> fact that my apache server was not compiled against an SSL
>>> library which support the FIPS_mode flag.
> 
>> Maybe you are getting the system-provided OpenSSL library and
>> not the one you custom-built.
> 
>>> I need helps with guidance of how to compile apache server
>>> with FIPS capable OpenSSL lib so that the Apache server can be 
>>> operating under the OpenSSL FIPS mode.
> 
>> Recompiling httpd is never needed to switch-out a shared
>> library. You just need to fix the way the OS loads things.
> 
>>> [Rich] How do I do that?
> 
> That depends upon the answers to your various questions.
> 
>> What OS? What version of that OS? Architecture, etc.?
> 
>>> [Rich] Ubuntu Linux 64 bit (version 12.04)
> 
> 
>> How did you install httpd?
> 
>>> [Rich] Httpd is packaged by Ubuntu as a package called
>>> apache2, and I installed the apache2 package.
> 
> Good. Keep that package as it is.
> 
>> How did you install OpenSSL (originally)?
> 
>>> [Rich] OpenSSL is also packaged by Ubuntu as a package. I 
>>> installed the original Ubuntu openssl package.
> 
> Okay. And that package is still installed and not broken?
> 
>> Did you build the FIPS-capable OpenSSL library yourself or did
>> you get it from some other source?
> 
>>> [Rich] I downloaded the FIPS modules source and built it with
>>> the stock openssl library, and then installed the newly rebuild
>>> FIPS capable openssl library. I was able to verify by using the
>>> FIPS capable openssl lib, running the openssl command to
>>> generate a MD5 checksum failed due to it's an non-approved FIPS
>>> algorithm.
> 
> Okay, good. IIRC, the "openssl" CLI is statically-linked so that
> will always work as long as you use the full path to the
> FIPS-capable openssl binary. Getting another program to load using
> the FIPS-capable library takes a bit of work.
> 
>> Where is the FIPS-capable OpenSSL library on the disk?
> 
>>> [Rich] The .so files are mostly under the directory 
>>> /lib/x86_64-linux-gnu/
> 
> Isn't that where the Ubuntu-packages libraries are as well?
> 
>> [Rich] Yes, basically my newly built FIPS capable OpenSSL lib
>> files replaced the original Ubuntu installed ones.
> 
> 
> 
> What does this command show?
> 
> $ dpkg -L libssl1.0.0
> 
> (This will still work if you have OpenSSL 1.0.1.)
> 
> Where *exactly* are the FIPS-capable libraries you built? There
> should be several .so files produced by the build. What are they
> and where did you put them?
> 
>> How do you launch httpd?
> 
>>> [Rich] Ubuntu uses upstart script to launch service like httpd.
>>> I just ran the upstart script (service apache2 start) to start
>>> the httpd.
> 
> Ultimately, this is going to involve you adjusting the
> LD_LIBRARY_PATH environment variable to point to the place where
> your FIPS-capable OpenSSL libraries are. But if you put them into
> the existing library search path, you may have broken both your
> original OpenSSL installation, plus the FIPS-capable libraries as
> well.
> 
>> [Rich] My understanding is, if I replace the Ubuntu installed
>> OpenSSL lib files with the FIPS capable version built by myself,
>> as long as the application which uses openssl (e.g. Apache
>> server) doesn't explicitly invoke FIPS_mode_set() API to enable
>> FIPS mode, they will work pretty much the same as there 's no
>> FIPS.

Agreed.

>> From the ssl_mod's doc it looks like I need to recomplile with
>> some different option so that it will allow Apache to invoke
>> FIPS_mode_set API, as I did find the FIPS_mode_set API got
>> invoked somewhere in the stock httpd source code. Is my
>> understanding correct?

I might need some help from the httpd gurus here. If httpd has #ifdefs
that require that the compile-time library be FIPS-capable in order to
build against it, then httpd will in fact have to be rebuilt.

OpenSSL itself does not conditionally-compile or conditionally-declare
the FIPS_mode_set(int) function call, so building against a
non-FIPS-capable library (the s

Re: [users@httpd] How to build Apache with FIPS mode capable?

2016-02-10 Thread Eric Covener

On Wed, Feb 10, 2016 at 12:48 PM, Stormy  wrote:
> and [if I'm reading www.openssl.org correctly] FIPS is "v2"...


Not the same kind of V2.

-- 
Eric Covener
cove...@gmail.com

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to build Apache with FIPS mode capable?

2016-02-10 Thread cloud force

Hi Chris,

On Wed, Feb 10, 2016 at 9:50 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Rich,
>
> On 2/10/16 11:24 AM, cloud force wrote:
> > Hi Chris,
> >
> > Please see my comments below.
> >
> > Thanks, Rich
> >
> > On Wed, Feb 10, 2016 at 7:20 AM, Christopher Schultz
> >  > > wrote:
> >
> > Rich,
> >
> > On 2/9/16 6:21 PM, cloud force wrote:
> >> On Tue, Feb 9, 2016 at 2:59 PM, Christopher Schultz
> >>  >> 
> >>  >> >>
> > wrote:
> >
> >> Rich,
> >
> >> On 2/9/16 4:09 PM, cloud force wrote:
> >>> Yes I do have* *some regulatory requirement to use FIPS and I
> >>> have built the FIPS capable OpenSSL lib.
> >
> >> Where is that library located on the disk?
> >
> >>> [Rich] The new libcrypto.so located in the same directory
> >>> /lib/x86_64-linux-gnu/
> >
> >
> >
> >>> I tried to add the "SSLFIPS on" parameter to the httpd.conf
> >>> config file as suggested in the ssl_mod manual page, but the
> >>> httpd failed to start with errors which seemed to due to the
> >>> fact that my apache server was not compiled against an SSL
> >>> library which support the FIPS_mode flag.
> >
> >> Maybe you are getting the system-provided OpenSSL library and
> >> not the one you custom-built.
> >
> >>> I need helps with guidance of how to compile apache server
> >>> with FIPS capable OpenSSL lib so that the Apache server can be
> >>> operating under the OpenSSL FIPS mode.
> >
> >> Recompiling httpd is never needed to switch-out a shared
> >> library. You just need to fix the way the OS loads things.
> >
> >>> [Rich] How do I do that?
> >
> > That depends upon the answers to your various questions.
> >
> >> What OS? What version of that OS? Architecture, etc.?
> >
> >>> [Rich] Ubuntu Linux 64 bit (version 12.04)
> >
> >
> >> How did you install httpd?
> >
> >>> [Rich] Httpd is packaged by Ubuntu as a package called
> >>> apache2, and I installed the apache2 package.
> >
> > Good. Keep that package as it is.
> >
> >> How did you install OpenSSL (originally)?
> >
> >>> [Rich] OpenSSL is also packaged by Ubuntu as a package. I
> >>> installed the original Ubuntu openssl package.
> >
> > Okay. And that package is still installed and not broken?
> >
> >> Did you build the FIPS-capable OpenSSL library yourself or did
> >> you get it from some other source?
> >
> >>> [Rich] I downloaded the FIPS modules source and built it with
> >>> the stock openssl library, and then installed the newly rebuild
> >>> FIPS capable openssl library. I was able to verify by using the
> >>> FIPS capable openssl lib, running the openssl command to
> >>> generate a MD5 checksum failed due to it's an non-approved FIPS
> >>> algorithm.
> >
> > Okay, good. IIRC, the "openssl" CLI is statically-linked so that
> > will always work as long as you use the full path to the
> > FIPS-capable openssl binary. Getting another program to load using
> > the FIPS-capable library takes a bit of work.
> >
> >> Where is the FIPS-capable OpenSSL library on the disk?
> >
> >>> [Rich] The .so files are mostly under the directory
> >>> /lib/x86_64-linux-gnu/
> >
> > Isn't that where the Ubuntu-packages libraries are as well?
> >
> >> [Rich] Yes, basically my newly built FIPS capable OpenSSL lib
> >> files replaced the original Ubuntu installed ones.
> >
> >
> >
> > What does this command show?
> >
> > $ dpkg -L libssl1.0.0
> >
> > (This will still work if you have OpenSSL 1.0.1.)
> >
> > Where *exactly* are the FIPS-capable libraries you built? There
> > should be several .so files produced by the build. What are they
> > and where did you put them?
> >
> >> How do you launch httpd?
> >
> >>> [Rich] Ubuntu uses upstart script to launch service like httpd.
> >>> I just ran the upstart script (service apache2 start) to start
> >>> the httpd.
> >
> > Ultimately, this is going to involve you adjusting the
> > LD_LIBRARY_PATH environment variable to point to the place where
> > your FIPS-capable OpenSSL libraries are. But if you put them into
> > the existing library search path, you may have broken both your
> > original OpenSSL installation, plus the FIPS-capable libraries as
> > well.
> >
> >> [Rich] My understanding is, if I replace the Ubuntu installed
> >> OpenSSL lib files with the FIPS capable version built by myself,
> >> as long as the application which uses openssl (e.g. Apache
> >> server) doesn't explicitly invoke FIPS_mode_set() API to enable
> >> FIPS mode, they will work pretty much the same as there 's no
> >> FIPS.
>
> Agreed.
>
> >> From the ssl_mod's doc it looks like I need to recomplile with
> >> some different option so that it will allow Apache to invoke
> >> FIPS_mode_set API, as I did find the FIPS_mode_set API got
> >> invoked somewhere in the stock httpd source code. Is my
> >> understanding correct?
>
> I might need some help from the h

Re: [users@httpd] How to build Apache with FIPS mode capable?

2016-02-10 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Rich,

On 2/10/16 1:12 PM, cloud force wrote:
> I added the "SSLFIPS on" option to the httpd.conf as suggested in
> the ssl_mod doc, and I got the following error:
> 
> * Starting web server apache2
> 
> 
> Syntax error on line 1 of /etc/apache2/httpd.conf:
> 
> SSLFIPS invalid, rebuild httpd and openssl compiled for FIPS
> 
> Action 'start' failed.
> 
> The Apache error log may have more information.

It looks like httpd *must* be built against a FIPS-capable library.

- From modules/ssl/ssl_engine_config.c:692:

> #ifdef HAVE_FIPS if ((sc->fips != UNSET) && (sc->fips !=
> (BOOL)(flag ? TRUE : FALSE))) return "Conflicting SSLFIPS options,
> cannot be both On and Off"; sc->fips = flag ? TRUE : FALSE; #else 
> if (flag) return "SSLFIPS invalid, rebuild httpd and openssl
> compiled for FIPS"; #endif
> 
> return NULL; }

So you think you really do have to re-build. But the only thing that
needs to be defined is OPENSSL_FIPS. From modules/ssl/ssl_private.h:126:

> #if defined(OPENSSL_FIPS) #define HAVE_FIPS #endif

So if you grab the source and simply do:

$ CFLAGS=-DOPENSSL_FIPS ./configure [other opts]
$ make

That ought to get you a FIPS-capable httpd.

To those down and dirty with httpd: is there a reason not to
UNCONDITIONALLY build against OpenSSL's FIPS_mode_set? If the library
doesn't support FIPS mode, it will complain about it and refuse to
enter FIPS mode. The httpd code already handles this in
mobules/ssl/ssl_engine_init.c:

> #ifdef HAVE_FIPS if(sc->fips) { if (!FIPS_mode()) { if
> (FIPS_mode_set(1)) { ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
> APLOGNO(01884) "Operating in SSL FIPS mode"); } else { 
> ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS
> mode failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s); 
> return ssl_die(s); } } } else { ap_log_error(APLOG_MARK,
> APLOG_DEBUG, 0, s, APLOGNO(01886) "SSL FIPS mode disabled"); } 
> #endif

I don't see a compelling reason to have all the #ifdef HAVE_FIPS
conditionals all over the place.

Hope that helps,
- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAla7tjQACgkQ9CaO5/Lv0PDtUgCfT9JC4pOt0WdZWe3XsFRtQgWa
f+AAmwQY+A5KmdTEzwR47/aEK3b/xchg
=WaCl
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] How to build Apache with FIPS mode capable?

2016-02-10 Thread Yann Ylavic

Hi,

On Wed, Feb 10, 2016 at 11:14 PM, Christopher Schultz
 wrote:
>
> To those down and dirty with httpd: is there a reason not to
> UNCONDITIONALLY build against OpenSSL's FIPS_mode_set? If the library
> doesn't support FIPS mode, it will complain about it and refuse to
> enter FIPS mode. The httpd code already handles this in
> mobules/ssl/ssl_engine_init.c:
>
>> #ifdef HAVE_FIPS if(sc->fips) { if (!FIPS_mode()) { if
>> (FIPS_mode_set(1)) { ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s,
>> APLOGNO(01884) "Operating in SSL FIPS mode"); } else {
>> ap_log_error(APLOG_MARK, APLOG_EMERG, 0, s, APLOGNO(01885) "FIPS
>> mode failed"); ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);
>> return ssl_die(s); } } } else { ap_log_error(APLOG_MARK,
>> APLOG_DEBUG, 0, s, APLOGNO(01886) "SSL FIPS mode disabled"); }
>> #endif
>
> I don't see a compelling reason to have all the #ifdef HAVE_FIPS
> conditionals all over the place.

OPENSSL_FIPS is something defined by OpenSSL when FIPS has been ./config-ured.
Apache httpd should be run against an OpenSSL version ABI-compatible
with the one it was compiled with, whereas FIPS vs non-FIPS OpenSSLs
are possibly not ABI-compatible...

Regards,
Yann.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Renaming localhost

2016-02-10 Thread Raja

Hi Mauricio,

Thanks for your reply. I am new to Linux and am still learning. I looked
up what IP route tables are on the net and I think you meant
the /etc/iproute2/rt_tables which shows;

255 local
254 main
253 default
0   unspec

I can ping both localhost and compname but can't reach on browser.

Thanks,
Regards, Raja.


On Wed, 2016-02-10 at 08:38 -0500, Mauricio Tavares wrote:
> On Wed, Feb 10, 2016 at 4:57 AM, Raja  wrote:
> > Hello,
> >
> > I sometimes work in remote sites with no network. I have the same setup
> > on different machines and I need the server name to know dynamically
> > where to do changes, etc.
> >
> > I edited /etc/hosts to show
> > 127.0.0.1 localhost somename
> >
> > Now, with my Wifi off I am trying `http://somename` and it is not
> > connecting. If I turn my wifi on, it works. But I need it to work with
> > no connection. How can I resolve this?
> >
>   Check what your routing table looks like when wifi is off. Also,
> can you ping it (and localhost) when wifi is off?
> 
> > Thanks!
> > Regards, Raja.
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Renaming localhost

2016-02-10 Thread Raja

Hi Mauricio,

Thanks for your reply. I am new to Linux and am still learning. I looked
up what IP route tables are on the net and I think you meant
the /etc/iproute2/rt_tables which shows;

255 local
254 main
253 default
0   unspec

I can ping both localhost and compname but can't reach on browser.

Thanks,
Regards, Raja.


On Wed, 2016-02-10 at 08:38 -0500, Mauricio Tavares wrote:
> On Wed, Feb 10, 2016 at 4:57 AM, Raja  wrote:
> > Hello,
> >
> > I sometimes work in remote sites with no network. I have the same setup
> > on different machines and I need the server name to know dynamically
> > where to do changes, etc.
> >
> > I edited /etc/hosts to show
> > 127.0.0.1 localhost somename
> >
> > Now, with my Wifi off I am trying `http://somename` and it is not
> > connecting. If I turn my wifi on, it works. But I need it to work with
> > no connection. How can I resolve this?
> >
>   Check what your routing table looks like when wifi is off. Also,
> can you ping it (and localhost) when wifi is off?
> 
> > Thanks!
> > Regards, Raja.
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 



-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Renaming localhost

2016-02-10 Thread Raja


Hi Mauricio,

Thanks for your reply. I am new to Linux and am still learning. I looked
up what IP route tables are on the net and I think you meant
the /etc/iproute2/rt_tables which shows;

255 local
254 main
253 default
0   unspec

I can ping both localhost and compname but can't reach on browser.

Thanks,
Regards, Raja.


On Wed, 2016-02-10 at 08:38 -0500, Mauricio Tavares wrote:
> On Wed, Feb 10, 2016 at 4:57 AM, Raja  wrote:
> > Hello,
> >
> > I sometimes work in remote sites with no network. I have the same setup
> > on different machines and I need the server name to know dynamically
> > where to do changes, etc.
> >
> > I edited /etc/hosts to show
> > 127.0.0.1 localhost somename
> >
> > Now, with my Wifi off I am trying `http://somename` and it is not
> > connecting. If I turn my wifi on, it works. But I need it to work with
> > no connection. How can I resolve this?
> >
>   Check what your routing table looks like when wifi is off. Also,
> can you ping it (and localhost) when wifi is off?
> 
> > Thanks!
> > Regards, Raja.
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> > For additional commands, e-mail: users-h...@httpd.apache.org
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
> 




-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] Renaming localhost

Re: [users@httpd] Renaming localhost

Re: [users@httpd] How to build Apache with FIPS mode capable?

Re: [users@httpd] How to build Apache with FIPS mode capable?

Re: [users@httpd] How to build Apache with FIPS mode capable?

Re: [users@httpd] How to build Apache with FIPS mode capable?

Re: [users@httpd] How to build Apache with FIPS mode capable?

Re: [users@httpd] How to build Apache with FIPS mode capable?

Re: [users@httpd] How to build Apache with FIPS mode capable?

Re: [users@httpd] How to build Apache with FIPS mode capable?

Re: [users@httpd] Renaming localhost

Re: [users@httpd] Renaming localhost

Re: [users@httpd] Renaming localhost

13 matches

Site Navigation

Mail list logo

Footer information