You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Petr Hracek <ph...@gmail.com> on 2011/06/03 16:51:28 UTC

Succeed compilation with FIPS

Dear developers,

I have tried to find out on the web what is the correct way
how to compile http2 so that it will be compliance with FIPS 140-2.

I have already build up OpenSSL libraries with FIPS and development
files as well.
I have try to run ./configure --with-ssl=<path_to_openSSL_FIPS_libraries>
and it seems to be good but how can I call make?

like: make CC=fipsld FIPSLD_CC=gcc ?

thank you in advance

-- 
Best Regards / S pozdravem
Petr Hracek

Re: Succeed compilation with FIPS

Posted by Andrew Punch <an...@247realmedia.com>.

Hi,

Typically you would provide the required environment variables to
configure.

e.g../configure --with-ssl=<path_to_openSSL_FIPS_libraries> CC=fipsld
FIPSLD_CC=gcc

Sometimes you might need to specify the environment variables before
configure or make for example:
CC=fipsld FIPSLD_CC=gcc ./configure
--with-ssl=<path_to_openSSL_FIPS_libraries>

-Andrew

On Fri, 2011-06-03 at 14:51 +0000, Petr Hracek wrote:

> Dear developers,
> 
> I have tried to find out on the web what is the correct way
> how to compile http2 so that it will be compliance with FIPS 140-2.
> 
> I have already build up OpenSSL libraries with FIPS and development
> files as well.
> I have try to run ./configure --with-ssl=<path_to_openSSL_FIPS_libraries>
> and it seems to be good but how can I call make?
> 
> like: make CC=fipsld FIPSLD_CC=gcc ?
> 
> thank you in advance
>

Re: Succeed compilation with FIPS

Posted by Dr Stephen Henson <sh...@oss-institute.org>.

On 03/06/2011 15:51, Petr Hracek wrote:
> Dear developers,
> 
> I have tried to find out on the web what is the correct way
> how to compile http2 so that it will be compliance with FIPS 140-2.
> 
> I have already build up OpenSSL libraries with FIPS and development
> files as well.
> I have try to run ./configure --with-ssl=<path_to_openSSL_FIPS_libraries>
> and it seems to be good but how can I call make?
> 
> like: make CC=fipsld FIPSLD_CC=gcc ?
> 

If you are linking to the OpenSSL shared libraries you don't need to do anything
special at all. It is only if you do a static build that you need to use the
fipsld script.

You can test the build by enabling FIPS mode in the configuration file: the log
file should confirm it is in FIPS mode. In that mode you shouldn't be able to
connect with a non-FIPS ciphersuite such as one including RC4.

Note that just compiling and enabling FIPS mode doesn't guarantee compliance:
you also need to adhere to the requirements of the security policy.

Steve.
-- 
Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute: www.oss-institute.org
OpenSSL Core team: www.openssl.org