FIPS Library and Apache

From OpenSSLWiki
Jump to navigationJump to search

This document will provide instructions for building the OpenSSL FIPS Object Module and OpenSSL FIPS Capable library for Apache servers. The FIPS Object Module provides validated cryptography, and the FIPS Capable Library uses the validated cryptography. As an OpenSSL developer, you will use the library the same as in the past – except you must call FIPS_mode_set to enter FIPS mode and engage the validated cryptography. In the case of an Apache server, Apache will call it for you based on its configuration file. If you are not doing business in US Federal and don't need FIPS validated cryptography, then see Android wiki page.

The FIPS Object Module, fipscanister.o, is a sequestered container of object code and data built from source code. The sources, object code and data are strictly controlled by the OpenSSL FIPS 140-2 Security Policy. No changes can be made to the procedure for building the FIPS Object Module, and no changes can be made to the sources. If you need to make changes to the FIPS Object Module, you will need to engage the OpenSSL Foundation for a separate validation.

The FIPS Capable Library is comprised of libcrypto and libssl. They are the same libraries you have been using for years. The FIPS Capable Library is tolerant of changes to procedures and source code. You are allowed to modify them within reason, as long as the changes do not adversely affect the FIPS Object Module.

This guide is intended to be informative and easy to use. In case of discrepancies between this document and the OpenSSL FIPS Security Policy, the Security Policy will prevail. You can download the Security Policy from

The instructions below used a static OpenSSL FIPS Capable library and Apache2 httpd-2.4.18.

Acquire the Required Files[edit]

Download openssl-fips-2.0.12.tar.gz and openssl-1.0.2g.tar.gz from

The signature on the FIPS Object Module tarball (openssl-fips-2.0.12.tar.gz) must be verified according to the Security Policy.

TODO: Finish organizing and formatting[edit]

gunzip openssl-fips-2.0.12.tar.gz 

tar -xvf openssl-fips-2.0.12.tar 

cd openssl-fips-2.0.12



make install

Download openssl-1.0.2g.tar.gz

gunzip openssl-1.0.2g.tar.gz

tar -xvf openssl-1.0.2g.tar

cd openssl-1.0.2.g

./config shared fips --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/


make install

in /usr/local/ssl/lib there will be two "linked" files -> ->

copy the files (not linked to a new shared directory /usr/local/ssl/lib/shared recreate the links in shared to and

ln -s /usr/local/ssl/lib/shared/ /usr/local/ssl/lib/shared/

ln -s /usr/local/ssl/lib/shared/ /usr/local/ssl/lib/shared/

Remove the links in /usr/local/ssl/lib



The shared directory is used for application linking A direct compile for a FIPS application using: -L/usr/local/ssl/lib Will fail if the links are still in /usr/local/ssl/lib

in /home/username (your working directory)

Download httpd.2.4.18.tar.gz

Download pcre-8.38.tar.gz

Download apr-1.5.2.tar.gz

Download apr-util-1.5.4.tar.gz

gunzip httpd.2.4.18.tar.gz

gunzip pcre-8.38.tar.gz

gunzip apr-1.5.2.tar.gz

gunzip apr-util-1.5.4.gz

Install PCRE

tar -xvf pcre-8.38.tar

cd /home/username/pcre-8.38

./configure --prefix=/usr/local/pcre


make install

Install Apache2(httpd) with apr

tar -xvf httpd.2.4.18.tar

cd httpd.2.4.18

cd srclib (subdirectory)

cp /home/username/apr-1.5.2.tar .

cp /home/username/apr-util-1.5.4.tar .

tar -xvf apr-1.5.2.tar

tar -xvf apr-util-1.5.4.tar

create two links - they are needed when apache compiles

ln -s apr-1.5.2 apr

ln -s apr-util-1.5.4 apr-util

cd .. (back to /home/username/httpd.2.4.18) 


the --enable-ssl-staticlib-deps and --enable-mods-static=ssl are to compile the Openssl module STATIC not shared. If you leave them out, it will properly create a working apache2 server EXCEPT when you enable the SSLFIPS on in httpd.conf, then apache2 will not start and you will get a FIPS fingerprint error in the logs/error_log file.

Procedure below is to compile OpenSSL as a static module in apache2

The two export(s) below sets the proper FIPS fingerprint variables.

The configure compiles a STATIC Openssl ( into Apache2.

export CC=/usr/local/ssl/fips-2.0/bin/fipsld

export FIPSLD_CC=/usr/bin/gcc

./configure --prefix=/usr/local/apache2 --with-mpm=prefork --enable-ssl --with-ssl=/usr/local/ssl --enable-ssl-staticlib-dep --enable-mods-static=ssl --with-pcre=/usr/local/pcre --with-included-apr 


make install

I need PHP(with mysql) - so I built the share module and placed a copy in /usr/local/apache2/modules/

In the httpd.conf file "Loadmodule ssl_module modules/" has to be commented out. In a shared version it must be active. The --with-mpm=prefork option allows me to use the system provided PHP5 module, the "event"(threaded) version didn't load PHP properly. There are some other changes needed in the httpd.conf file (on internet) on allowing Apache2 to recognize the .php extension.

to start: /usr/local/apache2/bin/apachectl start

to stop: /usr/local/apache2/bin/apachectl stop

Start apache and confirm it is running.