Thanks Chris! I am able to resolve the issue.
On Fri, Jan 30, 2015 at 10:09 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Geet, > > On 1/30/15 1:22 AM, Geett Chanddra Singha wrote: > > Steps followed to build FIPS > > > > tar zxf openssl-1.0.1l.tar.gz > > > > cd openssl-1.0.1l > > > > ./config --prefix=/usr/local > > --with-fipsdir=/usr/local/ssl/fips-2.0 > > > > make > > > > make install > > > > Note: I have installed the FIPS module in /usr/local/ssl/fips-2.0 > > You have to do "./config fips --with--fipsdir=[...]". You are missing > the "fips" argument to "config". > > After I did the "config", it told me that I needed to first "make > depend". Then I did a regular "make" and got a FIPS-capable module (as > tested by doing: > > $ cd test > $ sh ./testfipsssl > > (Note that this test fails part way through because it's missing some > kind of fake certificate... it looks like a problem with the test itself). > > I ran the test without building with FIPS and it died right away, so > I'm confident I ended up with a FIPS-capable module: > > $ sh ./testfipsssl > WARNING: can't open config file: /usr/local/ssl/openssl.cnf > test ssl3 is forbidden in FIPS mode > *** IN FIPS MODE *** > Available compression methods: > NONE > 140652183557800:error:140A9129:SSL routines:SSL_CTX_new:only tls > allowed in fips mode:ssl_lib.c:1715: > 140652183557800:error:140A9129:SSL routines:SSL_CTX_new:only tls > allowed in fips mode:ssl_lib.c:1715: > test ssl2 is forbidden in FIPS mode > *** IN FIPS MODE *** > Available compression methods: > NONE > 139882949523112:error:140A9129:SSL routines:SSL_CTX_new:only tls > allowed in fips mode:ssl_lib.c:1715: > 139882949523112:error:140A9129:SSL routines:SSL_CTX_new:only tls > allowed in fips mode:ssl_lib.c:1715: > test tls1 > *** IN FIPS MODE *** > Available compression methods: > NONE > TLSv1, cipher TLSv1/SSLv3 AES256-SHA, 2048 bit RSA > 1 handshakes of 256 bytes done > test tls1 with server authentication > *** IN FIPS MODE *** > Available compression methods: > NONE > server authentication > depth=0 error=20 /C=UK/O=OpenSSL Group/OU=FOR TESTING PURPOSES > ONLY/CN=Test Server Cert > Error string: unable to get local issuer certificate > ERROR in CLIENT > 140515612989096:error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify > failed:s3_clnt.c:1162: > TLSv1, cipher (NONE) (NONE) > 1 handshakes of 256 bytes done > > $ cd .. > $ ./apps/openssl version > WARNING: can't open config file: /usr/local/ssl/openssl.cnf > OpenSSL 1.0.1l-fips 15 Jan 2015 > > (Man... OpenSSL really is a big ball of crap: you have to be in the > exact right directory for everything to work. It's amazing that these > guys don't fix stuff like that. I like scripting everything, and > having to do a "cd" in a script usually means that it's going to be > hard to do things properly.) > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJUy7PaAAoJEBzwKT+lPKRYAqcQAI+So5gWQYfh166f1V30jrR4 > IqWHGvwxUYjIRPeuwu6V0tTVgAkwcspRiMapLWOIpSojrr+9jysj2N85EOVSpg+r > yIkc7dJmDgvaQ025u6bhnCby8YwupVmoyQKuiR4CzQb+ZjZIaDgp0l4XEyP/DxTy > UDD/CnXvJE/Fgp6lwnOcLygOYuPwGq0cDMcJEW5RT9TMfp8T0yLgOoC8NOuYp4q5 > Buywt9adAjNYZR1xREIKgRzEXEalFuI2dA4XyIV55Pye00dsAufsBj/uLhv4xAva > XU3qbHnHSnycfiipGjW60ZM0zJqLtszx3Q26luElCbv9QqOAyf68+QV4cYVhI2rY > 6SefnQZ2mCQKDs15+aYyB093zveQxKLkVIHyYsbHLpe0oPBUp0f8cy5UVRZnmtE+ > H8IXxG3jaz6mG15DYF6IXyg/GVlHMS+RQdoD2c0sNN+WtY0g+7kbcNLcrjwvsei0 > nKm6lnWXDUT4u8ggp5h+XDSbf1RzyxMyl6B9EwFW39rgmOnTtYIJjW7N8TxvcxvI > 5LBEUJUcVSi2kb3tiWNHdcEeT5cnk8Woy3Tyoi+OrdcDoawz7x8o8sroXHgXogxN > Zm5k6gAB+4xCv8LUVnkRV2qu+MBk6hmX5vEOp8NYf0xKzEuOhYGyxSL4b/5U+6c2 > bbYfRCbqLI/ySkifw55o > =o/7E > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Thanks & Regards Geett Chanddra Singha
