-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Geet,
On 1/30/15 1:22 AM, Geett Chanddra Singha wrote: > Steps followed to build FIPS > > tar zxf openssl-1.0.1l.tar.gz > > cd openssl-1.0.1l > > ./config --prefix=/usr/local > --with-fipsdir=/usr/local/ssl/fips-2.0 > > make > > make install > > Note: I have installed the FIPS module in /usr/local/ssl/fips-2.0 You have to do "./config fips --with--fipsdir=[...]". You are missing the "fips" argument to "config". After I did the "config", it told me that I needed to first "make depend". Then I did a regular "make" and got a FIPS-capable module (as tested by doing: $ cd test $ sh ./testfipsssl (Note that this test fails part way through because it's missing some kind of fake certificate... it looks like a problem with the test itself). I ran the test without building with FIPS and it died right away, so I'm confident I ended up with a FIPS-capable module: $ sh ./testfipsssl WARNING: can't open config file: /usr/local/ssl/openssl.cnf test ssl3 is forbidden in FIPS mode *** IN FIPS MODE *** Available compression methods: NONE 140652183557800:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1715: 140652183557800:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1715: test ssl2 is forbidden in FIPS mode *** IN FIPS MODE *** Available compression methods: NONE 139882949523112:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1715: 139882949523112:error:140A9129:SSL routines:SSL_CTX_new:only tls allowed in fips mode:ssl_lib.c:1715: test tls1 *** IN FIPS MODE *** Available compression methods: NONE TLSv1, cipher TLSv1/SSLv3 AES256-SHA, 2048 bit RSA 1 handshakes of 256 bytes done test tls1 with server authentication *** IN FIPS MODE *** Available compression methods: NONE server authentication depth=0 error=20 /C=UK/O=OpenSSL Group/OU=FOR TESTING PURPOSES ONLY/CN=Test Server Cert Error string: unable to get local issuer certificate ERROR in CLIENT 140515612989096:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1162: TLSv1, cipher (NONE) (NONE) 1 handshakes of 256 bytes done $ cd .. $ ./apps/openssl version WARNING: can't open config file: /usr/local/ssl/openssl.cnf OpenSSL 1.0.1l-fips 15 Jan 2015 (Man... OpenSSL really is a big ball of crap: you have to be in the exact right directory for everything to work. It's amazing that these guys don't fix stuff like that. I like scripting everything, and having to do a "cd" in a script usually means that it's going to be hard to do things properly.) - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUy7PaAAoJEBzwKT+lPKRYAqcQAI+So5gWQYfh166f1V30jrR4 IqWHGvwxUYjIRPeuwu6V0tTVgAkwcspRiMapLWOIpSojrr+9jysj2N85EOVSpg+r yIkc7dJmDgvaQ025u6bhnCby8YwupVmoyQKuiR4CzQb+ZjZIaDgp0l4XEyP/DxTy UDD/CnXvJE/Fgp6lwnOcLygOYuPwGq0cDMcJEW5RT9TMfp8T0yLgOoC8NOuYp4q5 Buywt9adAjNYZR1xREIKgRzEXEalFuI2dA4XyIV55Pye00dsAufsBj/uLhv4xAva XU3qbHnHSnycfiipGjW60ZM0zJqLtszx3Q26luElCbv9QqOAyf68+QV4cYVhI2rY 6SefnQZ2mCQKDs15+aYyB093zveQxKLkVIHyYsbHLpe0oPBUp0f8cy5UVRZnmtE+ H8IXxG3jaz6mG15DYF6IXyg/GVlHMS+RQdoD2c0sNN+WtY0g+7kbcNLcrjwvsei0 nKm6lnWXDUT4u8ggp5h+XDSbf1RzyxMyl6B9EwFW39rgmOnTtYIJjW7N8TxvcxvI 5LBEUJUcVSi2kb3tiWNHdcEeT5cnk8Woy3Tyoi+OrdcDoawz7x8o8sroXHgXogxN Zm5k6gAB+4xCv8LUVnkRV2qu+MBk6hmX5vEOp8NYf0xKzEuOhYGyxSL4b/5U+6c2 bbYfRCbqLI/ySkifw55o =o/7E -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
