Hi Chris, Please see my comments below inline.
Thanks, Rich On Tue, Feb 9, 2016 at 2:59 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Rich, > > On 2/9/16 4:09 PM, cloud force wrote: > > Yes I do have* *some regulatory requirement to use FIPS and I have > > built the FIPS capable OpenSSL lib. > > Where is that library located on the disk? [Rich] The new libcrypto.so located in the same directory /lib/x86_64-linux-gnu/ > > > I tried to add the "SSLFIPS on" parameter to the httpd.conf config > > file as suggested in the ssl_mod manual page, but the httpd failed > > to start with errors which seemed to due to the fact that my apache > > server was not compiled against an SSL library which support the > > FIPS_mode flag. > > Maybe you are getting the system-provided OpenSSL library and not the > one you custom-built. > > > I need helps with guidance of how to compile apache server with > > FIPS capable OpenSSL lib so that the Apache server can be operating > > under the OpenSSL FIPS mode. > > Recompiling httpd is never needed to switch-out a shared library. You > just need to fix the way the OS loads things. > [Rich] How do I do that? > > What OS? What version of that OS? Architecture, etc.? > [Rich] Ubuntu Linux 64 bit (version 12.04) > How did you install httpd? > [Rich] Httpd is packaged by Ubuntu as a package called apache2, and I installed the apache2 package. > How did you install OpenSSL (originally)? > [Rich] OpenSSL is also packaged by Ubuntu as a package. I installed the original Ubuntu openssl package. > Did you build the FIPS-capable OpenSSL library yourself or did you get > it from some other source? [Rich] I downloaded the FIPS modules source and built it with the stock openssl library, and then installed the newly rebuild FIPS capable openssl library. I was able to verify by using the FIPS capable openssl lib, running the openssl command to generate a MD5 checksum failed due to it's an non-approved FIPS algorithm. > Where is the FIPS-capable OpenSSL library on the disk? > [Rich] The .so files are mostly under the directory /lib/x86_64-linux-gnu/ > How do you launch httpd? > [Rich] Ubuntu uses upstart script to launch service like httpd. I just ran the upstart script (service apache2 start) to start the httpd. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEARECAAYFAla6b0oACgkQ9CaO5/Lv0PD3wACfWaxX8PA8dhUajcJiHoar12ck > 1NoAniETHeQizkhiRLtie+M2RCxuKFAz > =HJr7 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
