This is a discussion on Re: How do you get FIPS openssl to work with mod_ssl? - Openssl ; Blasdel, Jerry wrote: > I'm not sure if this will help, but we do the following (this is on > Soalris): > > 1. Build fips caninsters from an opens-ssl-fips source (1.1.1 or > 1.1.2). > 2. Build a version ...
Blasdel, Jerry wrote:
> I'm not sure if this will help, but we do the following (this is on
> Soalris):
>
> 1. Build fips caninsters from an opens-ssl-fips source (1.1.1 or
> 1.1.2).
> 2. Build a version of openssl and during the configure use
> -with-fipslibdir=(location of the canisters from step 1).
> 3. Build a version of apache and during the configure use
> --with-ssl=${OPENSSL_INSTALL_DIR} (location from step 2).
>
Keep in mind that merely linking an application with a FIPS enabled
OpenSSL does NOT automatically give you a result that can be claimed as
FIPS 140-2 compliant. At an absolute minimum you will need to enable
the FIPS mode of operation (see the User Guide for the gory details:
http://www.openssl.org/docs/fips/) . In practice additional application
source mods will generally be required. Also check AFS Bugzilla for
some work in that regard going back to 2005, most recently Steve Henson
submitted a patch that includes FIPS mode enabling
(http://mail-archives.apache.org/mod_...g/bugzilla/%3E).
-Steve M.
--
Steve Marquess
Open Source Software institute
marquess@oss-institute.org
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org
