OpenSSLWiki - User contributions [en]

FIPS Library and Apache

2016-04-04T15:25:09Z

Johnjs:

[[Category:FIPS 140]]

Compiling a Static OpenSSL FIPS Capable Apache2 httpd-2.4.18

Install the latest FIPS OpenSSL (below steps)

In your working directory /home/username

Download openssl-fips-2.0.12.tar.gz

gunzip openssl-fips-2.0.12.tar.gz

tar -xvf openssl-fips-2.0.12.tar

cd openssl-fips-2.0.12

./config

make

make install

Download openssl-1.0.2g.tar.gz

gunzip openssl-1.0.2g.tar.gz

tar -xvf openssl-1.0.2g.tar

cd openssl-1.0.2.g

./config shared fips --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/

make

make install

in /usr/local/ssl/lib there will be two "linked" files

libcrypto.so.1.0.0 -> libcrypto.so

libssl.so.1.0.0 -> libssl.so

copy the files (not linked libcrypto.so libssl.so) to a new shared directory /usr/local/ssl/lib/shared recreate the links in shared to libcrypto.so and libssl.so

ln -s /usr/local/ssl/lib/shared/libcrypto.so.1.0.0 /usr/local/ssl/lib/shared/libcrypto.so

ln -s /usr/local/ssl/lib/shared/libssl.so.1.0.0 /usr/local/ssl/lib/shared/libssl.so

Remove the links in /usr/local/ssl/lib

rm libcrypto.so

rm libssl.so

The shared directory is used for application linking A direct compile for a FIPS application using: -L/usr/local/ssl/lib Will fail if the links are still in /usr/local/ssl/lib

in /home/username (your working directory)

Download httpd.2.4.18.tar.gz

Download pcre-8.38.tar.gz

Download apr-1.5.2.tar.gz

Download apr-util-1.5.4.tar.gz

gunzip httpd.2.4.18.tar.gz

gunzip pcre-8.38.tar.gz

gunzip apr-1.5.2.tar.gz

gunzip apr-util-1.5.4.gz

Install PCRE

tar -xvf pcre-8.38.tar

cd /home/username/pcre-8.38

./configure --prefix=/usr/local/pcre

make

make install

Install Apache2(httpd) with apr

tar -xvf httpd.2.4.18.tar

cd httpd.2.4.18

cd srclib (subdirectory)

cp /home/username/apr-1.5.2.tar .

cp /home/username/apr-util-1.5.4.tar .

tar -xvf apr-1.5.2.tar

tar -xvf apr-util-1.5.4.tar

create two links - they are needed when apache compiles

ln -s apr-1.5.2 apr

ln -s apr-util-1.5.4 apr-util

cd .. (back to /home/username/httpd.2.4.18)

NOTE:

the --enable-ssl-staticlib-deps and --enable-mods-static=ssl are to compile the Openssl module STATIC not shared. If you leave them out, it will properly create a working apache2 server EXCEPT when you enable the SSLFIPS on in httpd.conf, then apache2 will not start and you will get a FIPS fingerprint error in the logs/error_log file.

Procedure below is to compile OpenSSL as a static module in apache2

The two export(s) below sets the proper FIPS fingerprint variables.

The configure compiles a STATIC Openssl (mod_ssl.so) into Apache2.

export CC=/usr/local/ssl/fips-2.0/bin/fipsld

export FIPSLD_CC=/usr/bin/gcc

./configure --prefix=/usr/local/apache2 --with-mpm=prefork --enable-ssl --with-ssl=/usr/local/ssl --enable-ssl-staticlib-dep --enable-mods-static=ssl --with-pcre=/usr/local/pcre --with-included-apr

make

make install

I need PHP(with mysql) - so I built the share module libphp5.so and placed a copy in /usr/local/apache2/modules/

In the httpd.conf file "Loadmodule ssl_module modules/mod_ssl.so" has to be commented out. In a shared version it must be active. The --with-mpm=prefork option allows me to use the system provided PHP5 module, the "event"(threaded) version didn't load PHP properly. There are some other changes needed in the httpd.conf file (on internet) on allowing Apache2 to recognize the .php extension.

to start: /usr/local/apache2/bin/apachectl start

to stop: /usr/local/apache2/bin/apachectl stop

Start apache and confirm it is running.

By Wiki OpenSSL User johnjs 04-04-2016

User:Johnjs

2016-04-04T15:17:33Z

Johnjs: Compiling a Static OpenSSL FIPS Capable Apache2 httpd-2.4.18

== Compiling a Static OpenSSL FIPS Capable Apache2 httpd-2.4.18 ==

Install the latest FIPS OpenSSL (below steps)

In your working directory /home/username

Download openssl-fips-2.0.12.tar.gz

gunzip openssl-fips-2.0.12.tar.gz

tar -xvf openssl-fips-2.0.12.tar

cd openssl-fips-2.0.12

./config

make

make install

Download openssl-1.0.2g.tar.gz

gunzip openssl-1.0.2g.tar.gz

tar -xvf openssl-1.0.2g.tar

cd openssl-1.0.2.g

./config shared fips --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/

make

make install

in /usr/local/ssl/lib there will be two "linked" files

libcrypto.so.1.0.0 -> libcrypto.so

libssl.so.1.0.0 -> libssl.so

copy the files (not linked libcrypto.so libssl.so) to
a new shared directory /usr/local/ssl/lib/shared
recreate the links in shared to libcrypto.so and libssl.so

ln -s /usr/local/ssl/lib/shared/libcrypto.so.1.0.0 /usr/local/ssl/lib/shared/libcrypto.so

ln -s /usr/local/ssl/lib/shared/libssl.so.1.0.0 /usr/local/ssl/lib/shared/libssl.so

Remove the links in /usr/local/ssl/lib

rm libcrypto.so

rm libssl.so

The shared directory is used for application linking
A direct compile for a FIPS application using: -L/usr/local/ssl/lib
Will fail if the links are still in /usr/local/ssl/lib

in /home/username (your working directory)

Download httpd.2.4.18.tar.gz

Download pcre-8.38.tar.gz

Download apr-1.5.2.tar.gz

Download apr-util-1.5.4.tar.gz

gunzip httpd.2.4.18.tar.gz

gunzip pcre-8.38.tar.gz

gunzip apr-1.5.2.tar.gz

gunzip apr-util-1.5.4.gz

Install PCRE

tar -xvf pcre-8.38.tar

cd /home/username/pcre-8.38

./configure --prefix=/usr/local/pcre

make

make install

Install Apache2(httpd) with apr

tar -xvf httpd.2.4.18.tar

cd httpd.2.4.18

cd srclib (subdirectory)

cp /home/username/apr-1.5.2.tar .

cp /home/username/apr-util-1.5.4.tar .

tar -xvf apr-1.5.2.tar

tar -xvf apr-util-1.5.4.tar

create two links - they are needed when apache compiles

ln -s apr-1.5.2 apr

ln -s apr-util-1.5.4 apr-util

cd .. (back to /home/username/httpd.2.4.18)

NOTE:

the --enable-ssl-staticlib-deps and --enable-mods-static=ssl
are to compile the Openssl module STATIC not shared.
If you leave them out, it will properly create a working apache2
server EXCEPT when you enable the SSLFIPS on in httpd.conf, then
apache2 will not start and you will get a FIPS fingerprint error
in the logs/error_log file.

Procedure below is to compile OpenSSL as a static module in apache2

The two export(s) below sets the proper FIPS fingerprint variables.

The configure compiles a STATIC Openssl (mod_ssl.so) into Apache2.

export CC=/usr/local/ssl/fips-2.0/bin/fipsld

export FIPSLD_CC=/usr/bin/gcc

./configure --prefix=/usr/local/apache2 --with-mpm=prefork --enable-ssl --with-ssl=/usr/local/ssl --enable-ssl-staticlib-dep --enable-mods-static=ssl --with-pcre=/usr/local/pcre --with-included-apr

make

make install

I need PHP(with mysql) - so I built the share module libphp5.so
and placed a copy in /usr/local/apache2/modules/

In the httpd.conf file "Loadmodule ssl_module modules/mod_ssl.so"
has to be commented out. In a shared version it must be active.
The --with-mpm=prefork option allows me to use the system provided
PHP5 module, the "event"(threaded) version didn't load PHP properly.
There are some other changes needed in the httpd.conf file (on internet)
on allowing Apache2 to recognize the .php extension.

to start: /usr/local/apache2/bin/apachectl start

to stop: /usr/local/apache2/bin/apachectl stop

Start apache and confirm it is running.

Main Page

2016-04-04T14:42:25Z

Johnjs:

<nowiki>Insert non-formatted text here</nowiki>
== Compiling a Static OpenSSL Fips Capable Apache2 httpd-2.4.18 ==

Below is a step by step instructions on how to compile a Fips Capable Apache2
from source. Fips is compiled into Apache statically. This includes the steps
to compile the FIPS module and Openssl. I build a prefork Apache2 because I use
a shared PHP5 module.

Install the latest FIPS OpenSSL (below steps)

Download openssl-fips-2.0.12.tar.gz

gunzip openssl-fips-2.0.12.tar.gz

tar -xvf openssl-fips-2.0.12.tar

cd openssl-fips-2.0.12

./config
make
make install

Download openssl-1.0.2g.tar.gz

gunzip openssl-1.0.2g.tar.gz

tar -xvf openssl-1.0.2g.tar

cd openssl-1.0.2.g

./config shared fips --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/

make

make install

in /usr/local/ssl/lib there will be two "linked" files

libcrypto.so.1.0.0 -> libcrypto.so

libssl.so.1.0.0 -> libssl.so

Some applications need those link references so I
copy all the files (not linked libcrypto.so libssl.so) to
a new shared directory /usr/local/ssl/lib/shared
recreate the links in shared to libcrypto.so and libssl.so

ln -s /usr/local/ssl/lib/shared/libcrypto.so.1.0.0 /usr/local/ssl/lib/shared/libcrypto.so

ln -s /usr/local/ssl/lib/shared/libssl.so.1.0.0 /usr/local/ssl/lib/shared/libssl.so

Remove the links in /usr/local/ssl/lib

rm libcrypto.so

rm libssl.so

The shared directory is used for application linking.
A direct compile for a FIPS application using: -L/usr/local/ssl/lib
Will fail if libcrypto.so and libssl.so links are still in /usr/local/ssl/lib

in /home/username (your working directory)

Download httpd.2.4.18.tar.gz

Download pcre-8.38.tar.gz

Download apr-1.5.2.tar.gz

Download apr-util-1.5.4.tar.gz

gunzip httpd.2.4.18.tar.gz

gunzip pcre-8.38.tar.gz

gunzip apr-1.5.2.tar.gz

gunzip apr-util-1.5.4.gz

Install PCRE

tar -xvf pcre-8.38.tar

cd /home/username/pcre-8.38

./configure --prefix=/usr/local/pcre

make

make install

Install Apache2(httpd) with apr

tar -xvf httpd.2.4.18.tar

cd httpd.2.4.18

cd srclib (subdirectory)

cp /home/username/apr-1.5.2.tar

cp /home/username/apr-util-1.5.4.tar

tar -xvf apr-1.5.2.tar

tar -xvf apr-util-1.5.4.tar

create two links - they are needed when apache compiles

ln -s apr-1.5.2 apr

ln -s apr-util-1.5.4 apr-util

cd .. (back to /home/username/httpd.2.4.18)

NOTE:

the --enable-ssl-staticlib-deps and --enable-mods-static=ssl
are to compile the Openssl module STATIC not shared.
If you leave them out, it will properly create a working apache2
server EXCEPT when you enable the "SSLFIPS on" in httpd.conf, then
apache2 will not start and you will get a FIPS fingerprint error
in the logs/error_log file.

Procedure below is to compile OpenSSL as a static module in apache2

The two export(s) below sets the proper FIPS fingerprint variables.
The configure compiles a STATIC Openssl (mod_ssl.so) into Apache2.

export CC=/usr/local/ssl/fips-2.0/bin/fipsld

export FIPSLD_CC=/usr/bin/gcc

execute configure with switches a space between each switch

./configure --prefix=/usr/local/apache2
--with-mpm=prefork
--enable-ssl
--with-ssl=/usr/local/ssl
--enable-ssl-staticlib-deps
--enable-mods-static=ssl
--with-pcre=/usr/local/pcre
--with-included-apr

make

make install

I need PHP(with mysql) - so I built the share module libphp5.so
and placed a copy in /usr/local/apache2/modules/

In the httpd.conf file "Loadmodule ssl_module modules/mod_ssl.so"
has to be commented out. In a shared version it must be active.
The --with-mpm=prefork option allows me to use a compiled shared
PHP5 module, the "event"(threaded) version didn't load PHP properly.
There are some other changes needed in the httpd.conf file (on internet)
on allowing Apache2 to recognize the .php extension.

to start: /usr/local/apache2/bin/apachectl start

to stop: /usr/local/apache2/bin/apachectl stop

Start apache and confirm it is running.

johnjs 04-04-2016 9:40 CST(DST)

Main Page

2016-04-04T14:39:55Z

Johnjs: Compile a Static OpenSSL Fips Capable Apache2 httpd-2.4.18