FIPS Library and Apache
This document will provide instructions for building the OpenSSL FIPS Object Module and OpenSSL FIPS Capable library for Apache servers. The FIPS Object Module provides validated cryptography, and the FIPS Capable Library uses the validated cryptography. As an OpenSSL developer, you will use the library the same as in the past – except you must call FIPS_mode_set to enter FIPS mode and engage the validated cryptography. In the case of an Apache server, Apache will call it for you based on its configuration file. If you are not doing business in US Federal and don't need FIPS validated cryptography, then see Android wiki page.
The FIPS Object Module, fipscanister.o, is a sequestered container of object code and data built from source code. The sources, object code and data are strictly controlled by the OpenSSL FIPS 140-2 Security Policy. No changes can be made to the procedure for building the FIPS Object Module, and no changes can be made to the sources. If you need to make changes to the FIPS Object Module, you will need to engage the OpenSSL Foundation for a separate validation.
The FIPS Capable Library is comprised of libcrypto and libssl. They are the same libraries you have been using for years. The FIPS Capable Library is tolerant of changes to procedures and source code. You are allowed to modify them within reason, as long as the changes do not adversely affect the FIPS Object Module.
This guide is intended to be informative and easy to use. In case of discrepancies between this document and the OpenSSL FIPS Security Policy, the Security Policy will prevail. You can download the Security Policy from http://www.openssl.org/docs/fips/.
The instructions below used a static OpenSSL FIPS Capable library and Apache2 httpd-2.4.18.
Acquire the Required Files
Download openssl-fips-2.0.12.tar.gz and openssl-1.0.2g.tar.gz from http://www.openssl.org/source/.
The signature on the FIPS Object Module tarball (openssl-fips-2.0.12.tar.gz) must be verified according to the Security Policy.
TODO: Finish organizing and formatting
gunzip openssl-fips-2.0.12.tar.gz tar -xvf openssl-fips-2.0.12.tar cd openssl-fips-2.0.12
./config
make
make install
Download openssl-1.0.2g.tar.gz
gunzip openssl-1.0.2g.tar.gz
tar -xvf openssl-1.0.2g.tar
cd openssl-1.0.2.g
./config shared fips --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/
make
make install
in /usr/local/ssl/lib there will be two "linked" files
libcrypto.so.1.0.0 -> libcrypto.so
libssl.so.1.0.0 -> libssl.so
copy the files (not linked libcrypto.so libssl.so) to a new shared directory /usr/local/ssl/lib/shared recreate the links in shared to libcrypto.so and libssl.so
ln -s /usr/local/ssl/lib/shared/libcrypto.so.1.0.0 /usr/local/ssl/lib/shared/libcrypto.so
ln -s /usr/local/ssl/lib/shared/libssl.so.1.0.0 /usr/local/ssl/lib/shared/libssl.so
Remove the links in /usr/local/ssl/lib
rm libcrypto.so
rm libssl.so
The shared directory is used for application linking A direct compile for a FIPS application using: -L/usr/local/ssl/lib Will fail if the links are still in /usr/local/ssl/lib
in /home/username (your working directory)
Download httpd.2.4.18.tar.gz
Download pcre-8.38.tar.gz
Download apr-1.5.2.tar.gz
Download apr-util-1.5.4.tar.gz
gunzip httpd.2.4.18.tar.gz
gunzip pcre-8.38.tar.gz
gunzip apr-1.5.2.tar.gz
gunzip apr-util-1.5.4.gz
Install PCRE
tar -xvf pcre-8.38.tar
cd /home/username/pcre-8.38
./configure --prefix=/usr/local/pcre
make
make install
Install Apache2(httpd) with apr
tar -xvf httpd.2.4.18.tar
cd httpd.2.4.18
cd srclib (subdirectory)
cp /home/username/apr-1.5.2.tar .
cp /home/username/apr-util-1.5.4.tar .
tar -xvf apr-1.5.2.tar
tar -xvf apr-util-1.5.4.tar
create two links - they are needed when apache compiles
ln -s apr-1.5.2 apr
ln -s apr-util-1.5.4 apr-util
cd .. (back to /home/username/httpd.2.4.18)
NOTE:
the --enable-ssl-staticlib-deps and --enable-mods-static=ssl are to compile the Openssl module STATIC not shared. If you leave them out, it will properly create a working apache2 server EXCEPT when you enable the SSLFIPS on in httpd.conf, then apache2 will not start and you will get a FIPS fingerprint error in the logs/error_log file.
Procedure below is to compile OpenSSL as a static module in apache2
The two export(s) below sets the proper FIPS fingerprint variables.
The configure compiles a STATIC Openssl (mod_ssl.so) into Apache2.
export CC=/usr/local/ssl/fips-2.0/bin/fipsld
export FIPSLD_CC=/usr/bin/gcc
./configure --prefix=/usr/local/apache2 --with-mpm=prefork --enable-ssl --with-ssl=/usr/local/ssl --enable-ssl-staticlib-dep --enable-mods-static=ssl --with-pcre=/usr/local/pcre --with-included-apr
make
make install
I need PHP(with mysql) - so I built the share module libphp5.so and placed a copy in /usr/local/apache2/modules/
In the httpd.conf file "Loadmodule ssl_module modules/mod_ssl.so" has to be commented out. In a shared version it must be active. The --with-mpm=prefork option allows me to use the system provided PHP5 module, the "event"(threaded) version didn't load PHP properly. There are some other changes needed in the httpd.conf file (on internet) on allowing Apache2 to recognize the .php extension.
to start: /usr/local/apache2/bin/apachectl start
to stop: /usr/local/apache2/bin/apachectl stop
Start apache and confirm it is running.