Johnjs: Compiling a Static OpenSSL FIPS Capable Apache2 httpd-2.4.18

2016-04-04T15:17:33Z

Compiling a Static OpenSSL FIPS Capable Apache2 httpd-2.4.18

New page

== Compiling a Static OpenSSL FIPS Capable Apache2 httpd-2.4.18 ==

Install the latest FIPS OpenSSL (below steps)

In your working directory /home/username

Download openssl-fips-2.0.12.tar.gz

gunzip openssl-fips-2.0.12.tar.gz

tar -xvf openssl-fips-2.0.12.tar

cd openssl-fips-2.0.12

./config

make

make install

Download openssl-1.0.2g.tar.gz

gunzip openssl-1.0.2g.tar.gz

tar -xvf openssl-1.0.2g.tar

cd openssl-1.0.2.g

./config shared fips --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/

make

make install

in /usr/local/ssl/lib there will be two "linked" files

libcrypto.so.1.0.0 -> libcrypto.so

libssl.so.1.0.0 -> libssl.so

copy the files (not linked libcrypto.so libssl.so) to
a new shared directory /usr/local/ssl/lib/shared
recreate the links in shared to libcrypto.so and libssl.so

ln -s /usr/local/ssl/lib/shared/libcrypto.so.1.0.0 /usr/local/ssl/lib/shared/libcrypto.so

ln -s /usr/local/ssl/lib/shared/libssl.so.1.0.0 /usr/local/ssl/lib/shared/libssl.so

Remove the links in /usr/local/ssl/lib

rm libcrypto.so

rm libssl.so

The shared directory is used for application linking
A direct compile for a FIPS application using: -L/usr/local/ssl/lib
Will fail if the links are still in /usr/local/ssl/lib

in /home/username (your working directory)

Download httpd.2.4.18.tar.gz

Download pcre-8.38.tar.gz

Download apr-1.5.2.tar.gz

Download apr-util-1.5.4.tar.gz

gunzip httpd.2.4.18.tar.gz

gunzip pcre-8.38.tar.gz

gunzip apr-1.5.2.tar.gz

gunzip apr-util-1.5.4.gz

Install PCRE

tar -xvf pcre-8.38.tar

cd /home/username/pcre-8.38

./configure --prefix=/usr/local/pcre

make

make install

Install Apache2(httpd) with apr

tar -xvf httpd.2.4.18.tar

cd httpd.2.4.18

cd srclib (subdirectory)

cp /home/username/apr-1.5.2.tar .

cp /home/username/apr-util-1.5.4.tar .

tar -xvf apr-1.5.2.tar

tar -xvf apr-util-1.5.4.tar

create two links - they are needed when apache compiles

ln -s apr-1.5.2 apr

ln -s apr-util-1.5.4 apr-util

cd .. (back to /home/username/httpd.2.4.18)

NOTE:

the --enable-ssl-staticlib-deps and --enable-mods-static=ssl
are to compile the Openssl module STATIC not shared.
If you leave them out, it will properly create a working apache2
server EXCEPT when you enable the SSLFIPS on in httpd.conf, then
apache2 will not start and you will get a FIPS fingerprint error
in the logs/error_log file.

Procedure below is to compile OpenSSL as a static module in apache2

The two export(s) below sets the proper FIPS fingerprint variables.

The configure compiles a STATIC Openssl (mod_ssl.so) into Apache2.

export CC=/usr/local/ssl/fips-2.0/bin/fipsld

export FIPSLD_CC=/usr/bin/gcc

./configure --prefix=/usr/local/apache2 --with-mpm=prefork --enable-ssl --with-ssl=/usr/local/ssl --enable-ssl-staticlib-dep --enable-mods-static=ssl --with-pcre=/usr/local/pcre --with-included-apr

make

make install

I need PHP(with mysql) - so I built the share module libphp5.so
and placed a copy in /usr/local/apache2/modules/

In the httpd.conf file "Loadmodule ssl_module modules/mod_ssl.so"
has to be commented out. In a shared version it must be active.
The --with-mpm=prefork option allows me to use the system provided
PHP5 module, the "event"(threaded) version didn't load PHP properly.
There are some other changes needed in the httpd.conf file (on internet)
on allowing Apache2 to recognize the .php extension.

to start: /usr/local/apache2/bin/apachectl start

to stop: /usr/local/apache2/bin/apachectl stop

Start apache and confirm it is running.

User:Johnjs - Revision history

Johnjs: Compiling a Static OpenSSL FIPS Capable Apache2 httpd-2.4.18