FIPS Library and Apache

From OpenSSLWiki
Revision as of 00:00, 6 April 2016 by Jwalton (talk | contribs) (Added introduction and some formatting.)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

This document will provide instructions for building the OpenSSL FIPS Object Module and OpenSSL FIPS Capable library for Apache servers. The FIPS Object Module provides validated cryptography, and the FIPS Capable Library uses the validated cryptography. As an OpenSSL developer, you will use the library the same as in the past – except you must call FIPS_mode_set to enter FIPS mode and engage the validated cryptography. In the case of an Apache server, Apache will call it for you based on its configuration file. If you are not doing business in US Federal and don't need FIPS validated cryptography, then see Android wiki page.

The FIPS Object Module, fipscanister.o, is a sequestered container of object code and data built from source code. The sources, object code and data are strictly controlled by the OpenSSL FIPS 140-2 Security Policy. No changes can be made to the procedure for building the FIPS Object Module, and no changes can be made to the sources. If you need to make changes to the FIPS Object Module, you will need to engage the OpenSSL Foundation for a separate validation.

The FIPS Capable Library is comprised of libcrypto and libssl. They are the same libraries you have been using for years. The FIPS Capable Library is tolerant of changes to procedures and source code. You are allowed to modify them within reason, as long as the changes do not adversely affect the FIPS Object Module.

This guide is intended to be informative and easy to use. In case of discrepancies between this document and the OpenSSL FIPS Security Policy, the Security Policy will prevail. You can download the Security Policy from http://www.openssl.org/docs/fips/.

The instructions below used a static OpenSSL FIPS Capable library and Apache2 httpd-2.4.18.

Acquire the Required Files[edit]

Download openssl-fips-2.0.12.tar.gz and openssl-1.0.2g.tar.gz from http://www.openssl.org/source/.

The signature on the FIPS Object Module tarball (openssl-fips-2.0.12.tar.gz) must be verified according to the Security Policy.

TODO: Finish organizing and formatting[edit]

gunzip openssl-fips-2.0.12.tar.gz 

tar -xvf openssl-fips-2.0.12.tar 

cd openssl-fips-2.0.12


./config

make

make install


Download openssl-1.0.2g.tar.gz


gunzip openssl-1.0.2g.tar.gz

tar -xvf openssl-1.0.2g.tar

cd openssl-1.0.2.g


./config shared fips --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/

make

make install


in /usr/local/ssl/lib there will be two "linked" files

libcrypto.so.1.0.0 -> libcrypto.so

libssl.so.1.0.0 -> libssl.so


copy the files (not linked libcrypto.so libssl.so) to a new shared directory /usr/local/ssl/lib/shared recreate the links in shared to libcrypto.so and libssl.so

ln -s /usr/local/ssl/lib/shared/libcrypto.so.1.0.0 /usr/local/ssl/lib/shared/libcrypto.so

ln -s /usr/local/ssl/lib/shared/libssl.so.1.0.0 /usr/local/ssl/lib/shared/libssl.so


Remove the links in /usr/local/ssl/lib

rm libcrypto.so

rm libssl.so


The shared directory is used for application linking A direct compile for a FIPS application using: -L/usr/local/ssl/lib Will fail if the links are still in /usr/local/ssl/lib

in /home/username (your working directory)

Download httpd.2.4.18.tar.gz

Download pcre-8.38.tar.gz

Download apr-1.5.2.tar.gz

Download apr-util-1.5.4.tar.gz


gunzip httpd.2.4.18.tar.gz

gunzip pcre-8.38.tar.gz

gunzip apr-1.5.2.tar.gz

gunzip apr-util-1.5.4.gz


Install PCRE

tar -xvf pcre-8.38.tar

cd /home/username/pcre-8.38

./configure --prefix=/usr/local/pcre

make

make install


Install Apache2(httpd) with apr

tar -xvf httpd.2.4.18.tar

cd httpd.2.4.18

cd srclib (subdirectory)

cp /home/username/apr-1.5.2.tar .

cp /home/username/apr-util-1.5.4.tar .

tar -xvf apr-1.5.2.tar

tar -xvf apr-util-1.5.4.tar


create two links - they are needed when apache compiles

ln -s apr-1.5.2 apr

ln -s apr-util-1.5.4 apr-util


cd .. (back to /home/username/httpd.2.4.18) 

NOTE:

the --enable-ssl-staticlib-deps and --enable-mods-static=ssl are to compile the Openssl module STATIC not shared. If you leave them out, it will properly create a working apache2 server EXCEPT when you enable the SSLFIPS on in httpd.conf, then apache2 will not start and you will get a FIPS fingerprint error in the logs/error_log file.

Procedure below is to compile OpenSSL as a static module in apache2

The two export(s) below sets the proper FIPS fingerprint variables.

The configure compiles a STATIC Openssl (mod_ssl.so) into Apache2.


export CC=/usr/local/ssl/fips-2.0/bin/fipsld

export FIPSLD_CC=/usr/bin/gcc


./configure --prefix=/usr/local/apache2 --with-mpm=prefork --enable-ssl --with-ssl=/usr/local/ssl --enable-ssl-staticlib-dep --enable-mods-static=ssl --with-pcre=/usr/local/pcre --with-included-apr 

make

make install


I need PHP(with mysql) - so I built the share module libphp5.so and placed a copy in /usr/local/apache2/modules/


In the httpd.conf file "Loadmodule ssl_module modules/mod_ssl.so" has to be commented out. In a shared version it must be active. The --with-mpm=prefork option allows me to use the system provided PHP5 module, the "event"(threaded) version didn't load PHP properly. There are some other changes needed in the httpd.conf file (on internet) on allowing Apache2 to recognize the .php extension.

to start: /usr/local/apache2/bin/apachectl start

to stop: /usr/local/apache2/bin/apachectl stop


Start apache and confirm it is running.