Difference between revisions of "FIPS Library and Apache"

From OpenSSLWiki
Jump to navigationJump to search
(Created page with " Category:FIPS 140")
 
Line 1: Line 1:
  
 
[[Category:FIPS 140]]
 
[[Category:FIPS 140]]
 +
 +
Compiling a Static OpenSSL FIPS Capable Apache2 httpd-2.4.18
 +
 +
Install the latest FIPS OpenSSL (below steps)
 +
 +
In your working directory /home/username
 +
 +
Download openssl-fips-2.0.12.tar.gz
 +
 +
gunzip openssl-fips-2.0.12.tar.gz
 +
 +
tar -xvf openssl-fips-2.0.12.tar
 +
 +
cd openssl-fips-2.0.12
 +
 +
 +
./config
 +
 +
make
 +
 +
make install
 +
 +
 +
Download openssl-1.0.2g.tar.gz
 +
 +
 +
gunzip openssl-1.0.2g.tar.gz
 +
 +
tar -xvf openssl-1.0.2g.tar
 +
 +
cd openssl-1.0.2.g
 +
 +
 +
./config shared fips --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/
 +
 +
make
 +
 +
make install
 +
 +
 +
in /usr/local/ssl/lib there will be two "linked" files
 +
 +
libcrypto.so.1.0.0 -> libcrypto.so
 +
 +
libssl.so.1.0.0 -> libssl.so
 +
 +
 +
copy the files (not linked libcrypto.so libssl.so) to a new shared directory /usr/local/ssl/lib/shared recreate the links in shared to libcrypto.so and libssl.so
 +
 +
ln -s /usr/local/ssl/lib/shared/libcrypto.so.1.0.0 /usr/local/ssl/lib/shared/libcrypto.so
 +
 +
ln -s /usr/local/ssl/lib/shared/libssl.so.1.0.0 /usr/local/ssl/lib/shared/libssl.so
 +
 +
 +
Remove the links in /usr/local/ssl/lib
 +
 +
rm libcrypto.so
 +
 +
rm libssl.so
 +
 +
 +
The shared directory is used for application linking A direct compile for a FIPS application using: -L/usr/local/ssl/lib Will fail if the links are still in /usr/local/ssl/lib
 +
 +
in /home/username (your working directory)
 +
 +
Download httpd.2.4.18.tar.gz
 +
 +
Download pcre-8.38.tar.gz
 +
 +
Download apr-1.5.2.tar.gz
 +
 +
Download apr-util-1.5.4.tar.gz
 +
 +
 +
gunzip httpd.2.4.18.tar.gz
 +
 +
gunzip pcre-8.38.tar.gz
 +
 +
gunzip apr-1.5.2.tar.gz
 +
 +
gunzip apr-util-1.5.4.gz
 +
 +
 +
Install PCRE
 +
 +
tar -xvf pcre-8.38.tar
 +
 +
cd /home/username/pcre-8.38
 +
 +
./configure --prefix=/usr/local/pcre
 +
 +
make
 +
 +
make install
 +
 +
 +
Install Apache2(httpd) with apr
 +
 +
tar -xvf httpd.2.4.18.tar
 +
 +
cd httpd.2.4.18
 +
 +
cd srclib (subdirectory)
 +
 +
cp /home/username/apr-1.5.2.tar .
 +
 +
cp /home/username/apr-util-1.5.4.tar .
 +
 +
tar -xvf apr-1.5.2.tar
 +
 +
tar -xvf apr-util-1.5.4.tar
 +
 +
 +
create two links - they are needed when apache compiles
 +
 +
ln -s apr-1.5.2 apr
 +
 +
ln -s apr-util-1.5.4 apr-util
 +
 +
 +
cd .. (back to /home/username/httpd.2.4.18)
 +
 +
NOTE:
 +
 +
the --enable-ssl-staticlib-deps and --enable-mods-static=ssl are to compile the Openssl module STATIC not shared. If you leave them out, it will properly create a working apache2 server EXCEPT when you enable the SSLFIPS on in httpd.conf, then apache2 will not start and you will get a FIPS fingerprint error in the logs/error_log file.
 +
 +
Procedure below is to compile OpenSSL as a static module in apache2
 +
 +
The two export(s) below sets the proper FIPS fingerprint variables.
 +
 +
The configure compiles a STATIC Openssl (mod_ssl.so) into Apache2.
 +
 +
 +
export CC=/usr/local/ssl/fips-2.0/bin/fipsld
 +
 +
export FIPSLD_CC=/usr/bin/gcc
 +
 +
 +
./configure --prefix=/usr/local/apache2 --with-mpm=prefork --enable-ssl --with-ssl=/usr/local/ssl --enable-ssl-staticlib-dep --enable-mods-static=ssl --with-pcre=/usr/local/pcre --with-included-apr
 +
 +
make
 +
 +
make install
 +
 +
 +
I need PHP(with mysql) - so I built the share module libphp5.so and placed a copy in /usr/local/apache2/modules/
 +
 +
 +
In the httpd.conf file "Loadmodule ssl_module modules/mod_ssl.so" has to be commented out. In a shared version it must be active. The --with-mpm=prefork option allows me to use the system provided PHP5 module, the "event"(threaded) version didn't load PHP properly. There are some other changes needed in the httpd.conf file (on internet) on allowing Apache2 to recognize the .php extension.
 +
 +
to start: /usr/local/apache2/bin/apachectl start
 +
 +
to stop: /usr/local/apache2/bin/apachectl stop
 +
 +
 +
Start apache and confirm it is running.
 +
 +
By Wiki OpenSSL User johnjs 04-04-2016

Revision as of 15:25, 4 April 2016


Compiling a Static OpenSSL FIPS Capable Apache2 httpd-2.4.18

Install the latest FIPS OpenSSL (below steps)

In your working directory /home/username

Download openssl-fips-2.0.12.tar.gz

gunzip openssl-fips-2.0.12.tar.gz

tar -xvf openssl-fips-2.0.12.tar

cd openssl-fips-2.0.12


./config

make

make install


Download openssl-1.0.2g.tar.gz


gunzip openssl-1.0.2g.tar.gz

tar -xvf openssl-1.0.2g.tar

cd openssl-1.0.2.g


./config shared fips --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/

make

make install


in /usr/local/ssl/lib there will be two "linked" files

libcrypto.so.1.0.0 -> libcrypto.so

libssl.so.1.0.0 -> libssl.so


copy the files (not linked libcrypto.so libssl.so) to a new shared directory /usr/local/ssl/lib/shared recreate the links in shared to libcrypto.so and libssl.so

ln -s /usr/local/ssl/lib/shared/libcrypto.so.1.0.0 /usr/local/ssl/lib/shared/libcrypto.so

ln -s /usr/local/ssl/lib/shared/libssl.so.1.0.0 /usr/local/ssl/lib/shared/libssl.so


Remove the links in /usr/local/ssl/lib

rm libcrypto.so

rm libssl.so


The shared directory is used for application linking A direct compile for a FIPS application using: -L/usr/local/ssl/lib Will fail if the links are still in /usr/local/ssl/lib

in /home/username (your working directory)

Download httpd.2.4.18.tar.gz

Download pcre-8.38.tar.gz

Download apr-1.5.2.tar.gz

Download apr-util-1.5.4.tar.gz


gunzip httpd.2.4.18.tar.gz

gunzip pcre-8.38.tar.gz

gunzip apr-1.5.2.tar.gz

gunzip apr-util-1.5.4.gz


Install PCRE

tar -xvf pcre-8.38.tar

cd /home/username/pcre-8.38

./configure --prefix=/usr/local/pcre

make

make install


Install Apache2(httpd) with apr

tar -xvf httpd.2.4.18.tar

cd httpd.2.4.18

cd srclib (subdirectory)

cp /home/username/apr-1.5.2.tar .

cp /home/username/apr-util-1.5.4.tar .

tar -xvf apr-1.5.2.tar

tar -xvf apr-util-1.5.4.tar


create two links - they are needed when apache compiles

ln -s apr-1.5.2 apr

ln -s apr-util-1.5.4 apr-util 


cd .. (back to /home/username/httpd.2.4.18)

NOTE:

the --enable-ssl-staticlib-deps and --enable-mods-static=ssl are to compile the Openssl module STATIC not shared. If you leave them out, it will properly create a working apache2 server EXCEPT when you enable the SSLFIPS on in httpd.conf, then apache2 will not start and you will get a FIPS fingerprint error in the logs/error_log file.

Procedure below is to compile OpenSSL as a static module in apache2

The two export(s) below sets the proper FIPS fingerprint variables.

The configure compiles a STATIC Openssl (mod_ssl.so) into Apache2.


export CC=/usr/local/ssl/fips-2.0/bin/fipsld

export FIPSLD_CC=/usr/bin/gcc 


./configure --prefix=/usr/local/apache2 --with-mpm=prefork --enable-ssl --with-ssl=/usr/local/ssl --enable-ssl-staticlib-dep --enable-mods-static=ssl --with-pcre=/usr/local/pcre --with-included-apr

make

make install


I need PHP(with mysql) - so I built the share module libphp5.so and placed a copy in /usr/local/apache2/modules/


In the httpd.conf file "Loadmodule ssl_module modules/mod_ssl.so" has to be commented out. In a shared version it must be active. The --with-mpm=prefork option allows me to use the system provided PHP5 module, the "event"(threaded) version didn't load PHP properly. There are some other changes needed in the httpd.conf file (on internet) on allowing Apache2 to recognize the .php extension.

to start: /usr/local/apache2/bin/apachectl start

to stop: /usr/local/apache2/bin/apachectl stop


Start apache and confirm it is running.

By Wiki OpenSSL User johnjs 04-04-2016

Retrieved from "https://wiki.openssl.org/index.php?title=FIPS_Library_and_Apache&oldid=2381"