Difference between revisions of "Main Page"

From OpenSSLWiki
Jump to navigationJump to search
(Compile a Static OpenSSL Fips Capable Apache2 httpd-2.4.18)
 
(16 intermediate revisions by 12 users not shown)
Line 1: Line 1:
<nowiki>Insert non-formatted text here</nowiki>
+
This is the OpenSSL wiki.  The main site is https://www.openssl.org . If this is your first visit or to get an account please see the [[Welcome]] page. Your participation and [[Contributions]] are valued.
== Compiling a Static OpenSSL Fips Capable Apache2 httpd-2.4.18 ==
 
  
Below is a step by step instructions on how to compile a Fips Capable Apache2
+
This wiki is intended as a place for collecting, organizing, and refining useful information about OpenSSL that is currently strewn among multiple locations and formats.
from source. Fips is compiled into Apache statically. This includes the steps
 
to compile the FIPS module and Openssl. I build a prefork Apache2 because I use
 
a shared PHP5 module.
 
  
Install the latest FIPS OpenSSL (below steps)
+
== OpenSSL Quick Links ==
  
Download openssl-fips-2.0.12.tar.gz
+
  <TABLE border=0>
+
    <TR>
gunzip openssl-fips-2.0.12.tar.gz
+
        <TD>[[OpenSSL Overview]]</TD>
 +
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 +
        <TD>[[Compilation and Installation]]</TD>
 +
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 +
        <TD>[[Configuration "packages"]]</TD>
 +
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 +
        <TD>[[Internals]]</TD>
 +
      </TR>
 +
      <TR>
 +
        <TD>[[libcrypto API]]</TD>
 +
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 +
        <TD>[[libssl API]]</TD>
 +
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 +
        <TD>[[Examples]] </TD>
 +
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 +
        <TD>[[Documentation Index|Index of all API functions]]</TD>
 +
      </TR>
 +
      <TR>
 +
        <TD>[[License]] </TD>
 +
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 +
        <TD>[[Command Line Utilities]]</TD>
 +
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 +
        <TD>[[Related Links]]</TD>
 +
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 +
        <TD>[[Binaries]]</TD>
 +
      </TR>
 +
      <TR>
 +
        <TD>[[SSL and TLS Protocols]]</TD>
 +
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 +
        <TD>[[1.1 API Changes]]</TD>
 +
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 +
        <TD>[[FIPS modules]]</TD>
 +
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 +
        <TD>[[TLS1.3]]</TD>
 +
      </TR>
 +
      <TR>
 +
        <TD>[[Mailing Lists]]</TD>
 +
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 +
        <TD>[[OpenSSL 3.0]]</TD>
 +
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 +
        <TD></TD>
 +
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 +
        <TD></TD>
 +
      </TR>
 +
  </TABLE>
  
tar -xvf openssl-fips-2.0.12.tar
+
== Administrivia ==
 +
Site guidelines, legal and admininstrative issues.
 +
:* [[Basic rules]], [[Commercial Product Disclaimer]], [[Contributions]], [[Copyright]], [[License]]
 +
:* Using This Wiki
 +
:: [http://meta.wikimedia.org/wiki/Help:Contents Wiki User's Guide], [http://www.mediawiki.org/wiki/Manual:Configuration_settings Configuration settings list], [http://www.mediawiki.org/wiki/Manual:FAQ MediaWiki FAQ], [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki Mailing List]
  
cd openssl-fips-2.0.12
+
== Reference ==
 +
This section contains the automagically generated man pages from the OpenSSL git repository, and similar "man" style reference documentation. The man pages are automatically imported from the OpenSSL git repository and local wiki modifications are submitted as patches.
 +
:* [https://www.openssl.org/docs/manpages.html OpenSSL Manual Pages]
 +
:* [[API]], [[Libcrypto API]], [[Libssl API]]
 +
:* [[FIPS mode()]], [[FIPS_mode_set()]]
  
+
== Usage and Programming ==
./config
+
This section has discussions of practical issues in using OpenSSL
make
+
:* Building from Source
make install
+
:: Where to find it, the different versions, how to build and install it.
+
:* [[OpenSSL Overview]]
Download openssl-1.0.2g.tar.gz
+
:* [[Versioning]]
+
:* [[Compilation and Installation]]
gunzip openssl-1.0.2g.tar.gz
+
:* [[EVP]]
 +
:: Programming techniques and example code
 +
:: Use of EVP is preferred for most applications and circumstances
 +
::* [[EVP Asymmetric Encryption and Decryption of an Envelope]]
 +
::* [[EVP Authenticated Encryption and Decryption]]
 +
::* [[EVP Symmetric Encryption and Decryption]]
 +
::* [[EVP Key and Parameter Generation]]
 +
::* [[EVP Key Agreement]]
 +
::* [[EVP Message Digests]]
 +
::* [[EVP Key Derivation]]
 +
::* [[EVP Signing and Verifying|EVP Signing and Verifying (including MAC codes)]]
 +
:* [[STACK API]]
 +
:* [[List of SSL OP Flags]]
 +
:* Low Level APIs
 +
::[[Creating an OpenSSL Engine to use indigenous ECDH ECDSA and HASH Algorithms]]
 +
:: More specialized non-EVP usage
 +
::* [[Diffie-Hellman parameters]]
 +
:* [[FIPS Mode]]
 +
:* [[Simple TLS Server]]
 +
:* [[Simple TLS Client]]
 +
:* [[Simple DTLS Server]]
 +
:* [[Simple DTLS Client]]
  
tar -xvf openssl-1.0.2g.tar
+
== Concepts and Theory ==
 +
Discussions of basic cryptographic theory and concepts
 +
Discussions of common operational issues
 +
:* [[Base64]]
 +
:* [http://wiki.openssl.org/index.php/Category:FIPS_140 FIPS 140-2]
 +
:* [[Random Numbers]]
 +
:* [[Diffie Hellman]]
 +
:* [[Elliptic Curve Diffie Hellman]]
 +
:* [[Elliptic Curve Cryptography]]
  
cd openssl-1.0.2.g
+
== Security Advisories ==
 +
:* [https://www.openssl.org/policies/secpolicy.html OpenSSL Security Policy]
 +
:* [https://www.openssl.org/news/vulnerabilities.html OpenSSL Vulnerabilities List]
 +
:* [[Security_Advisories|Security Advisories Additional Information]]
  
+
== Feedback and Contributions ==
./config shared fips --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/
+
:* [https://www.openssl.org/news/vulnerabilities.html How to notify us of suspected security vulnerabilities]
 +
:* [https://www.openssl.org/community/#bugs How to report bugs, other than for suspected vulnerabilities]
 +
:* [[Contributions|General background on source and documentation contributions - '''must read''']]
 +
:* Contributing code fixes, other than for suspected vulnerabilities, as well as fixes and other improvements to manual pages:
 +
::* If you are unsure as to whether a feature will be useful for the general OpenSSL community please discuss it on the [https://www.openssl.org/community/ openssl-users mailing list] first.  Someone may be already working on the same thing or there may be a good reason as to why that feature isn't implemented.
 +
::* Follow the [[Use of Git#Use_of_Git_with_OpenSSL_source_tree|instructions for accessing source code]] in the appropriate branches. Note that manual pages and the FAQ are maintained with the source code.
 +
::* Submit a pull request for each separate fix (also documented [[Use of Git#Use_of_Git_with_OpenSSL_source_tree|there]])
 +
::* Submit a bug report (see second bullet, above) and reference the pull request. Or you can attach the patch to the ticket.
 +
:* Contributing fixes and other improvements to the web site
 +
::* Follow the [[Use_of_Git#Use_of_Git_with_the_OpenSSL_web_site|instructions for accessing web site sources]]
 +
::* Create a patch (also documented [[Use_of_Git#Use_of_Git_with_the_OpenSSL_web_site|there]])
 +
::* Submit a bug report and add the patch as an attachment
 +
:* [[Developing For OpenSSL]]
 +
:* [[KnownPatches|Known patches not part of OpenSSL]]
 +
:* [[Welcome|Contributing to this wiki]]
  
make
+
== Internals and Development ==
 +
This section is for internal details of primary interest to OpenSSL maintainers and power users
 +
:* [[Code reformatting]]
  
make install
+
:* [[Internals]]
 
+
:* [[Code Quality]]
+
:* [[Static and Dynamic Analysis]]
in /usr/local/ssl/lib there will be two "linked" files
+
:* [[OCB|OCB Licence details]]
 
+
:* [[Defect and Feature Review Process]]
libcrypto.so.1.0.0 -> libcrypto.so
+
:* [[Unit Testing]] (includes other automated testing information)
 
+
:* [[How to Integrate a Symmetric Cipher]]
libssl.so.1.0.0 -> libssl.so
 
 
Some applications need those link references so I
 
copy all the files (not linked libcrypto.so libssl.so) to
 
a new shared directory /usr/local/ssl/lib/shared
 
recreate the links in shared to libcrypto.so and libssl.so
 
 
ln -s /usr/local/ssl/lib/shared/libcrypto.so.1.0.0 /usr/local/ssl/lib/shared/libcrypto.so
 
 
 
ln -s /usr/local/ssl/lib/shared/libssl.so.1.0.0 /usr/local/ssl/lib/shared/libssl.so
 
 
Remove the links in /usr/local/ssl/lib
 
 
 
rm libcrypto.so
 
 
 
rm libssl.so
 
 
 
 
 
The shared directory is used for application linking.
 
A direct compile for a FIPS application using: -L/usr/local/ssl/lib
 
Will fail if libcrypto.so and libssl.so links are still in /usr/local/ssl/lib
 
 
 
in /home/username (your working directory)
 
 
 
Download httpd.2.4.18.tar.gz
 
 
 
Download pcre-8.38.tar.gz
 
 
 
Download apr-1.5.2.tar.gz
 
 
 
Download apr-util-1.5.4.tar.gz
 
 
 
 
 
gunzip httpd.2.4.18.tar.gz
 
 
 
gunzip pcre-8.38.tar.gz
 
 
 
gunzip apr-1.5.2.tar.gz
 
 
 
gunzip apr-util-1.5.4.gz
 
 
 
 
 
Install PCRE
 
 
 
tar -xvf pcre-8.38.tar
 
 
 
cd /home/username/pcre-8.38
 
 
 
./configure --prefix=/usr/local/pcre
 
 
 
make
 
 
 
make install
 
 
 
 
 
Install Apache2(httpd) with apr
 
 
 
tar -xvf httpd.2.4.18.tar
 
 
 
cd httpd.2.4.18
 
 
 
cd srclib (subdirectory)
 
 
 
cp /home/username/apr-1.5.2.tar
 
 
 
cp /home/username/apr-util-1.5.4.tar
 
 
 
tar -xvf apr-1.5.2.tar
 
 
 
tar -xvf apr-util-1.5.4.tar
 
 
 
 
 
create two links - they are needed when apache compiles
 
 
 
ln -s apr-1.5.2 apr
 
 
 
ln -s apr-util-1.5.4 apr-util
 
 
 
 
 
cd .. (back to /home/username/httpd.2.4.18)
 
 
 
NOTE:  
 
 
 
the --enable-ssl-staticlib-deps and --enable-mods-static=ssl
 
are to compile the Openssl module STATIC not shared.
 
If you leave them out, it will properly create a working apache2
 
server EXCEPT when you enable the "SSLFIPS on" in httpd.conf, then
 
apache2 will not start and you will get a FIPS fingerprint error
 
in the logs/error_log file.
 
 
 
Procedure below is to compile OpenSSL as a static module in apache2
 
 
 
The two export(s) below sets the proper FIPS fingerprint variables.
 
The configure compiles a STATIC Openssl (mod_ssl.so) into Apache2.
 
 
 
export CC=/usr/local/ssl/fips-2.0/bin/fipsld
 
 
 
export FIPSLD_CC=/usr/bin/gcc
 
 
 
execute configure with switches a space between each switch
 
 
 
./configure --prefix=/usr/local/apache2
 
    --with-mpm=prefork
 
    --enable-ssl
 
    --with-ssl=/usr/local/ssl
 
    --enable-ssl-staticlib-deps
 
    --enable-mods-static=ssl
 
    --with-pcre=/usr/local/pcre
 
    --with-included-apr
 
 
make
 
 
 
make install
 
 
 
 
 
I need PHP(with mysql) - so I built the share module libphp5.so
 
and placed a copy in /usr/local/apache2/modules/
 
 
 
In the httpd.conf file "Loadmodule ssl_module modules/mod_ssl.so"
 
has to be commented out. In a shared version it must be active.
 
The --with-mpm=prefork option allows me to use a compiled shared
 
PHP5 module, the "event"(threaded) version didn't load PHP properly.
 
There are some other changes needed in the httpd.conf file (on internet)
 
on allowing Apache2 to recognize the .php extension.
 
 
 
to start: /usr/local/apache2/bin/apachectl start
 
 
 
to stop: /usr/local/apache2/bin/apachectl stop
 
 
 
Start apache and confirm it is running.
 
 
 
johjs 04-04-2016 9:40 CST(DST)
 

Latest revision as of 05:26, 16 February 2021

This is the OpenSSL wiki. The main site is https://www.openssl.org . If this is your first visit or to get an account please see the Welcome page. Your participation and Contributions are valued.

This wiki is intended as a place for collecting, organizing, and refining useful information about OpenSSL that is currently strewn among multiple locations and formats.

OpenSSL Quick Links[edit]

OpenSSL Overview HTAB.pngHTAB.png Compilation and Installation HTAB.pngHTAB.png Configuration "packages" HTAB.pngHTAB.png Internals
libcrypto API HTAB.pngHTAB.png libssl API HTAB.pngHTAB.png Examples HTAB.pngHTAB.png Index of all API functions
License HTAB.pngHTAB.png Command Line Utilities HTAB.pngHTAB.png Related Links HTAB.pngHTAB.png Binaries
SSL and TLS Protocols HTAB.pngHTAB.png 1.1 API Changes HTAB.pngHTAB.png FIPS modules HTAB.pngHTAB.png TLS1.3
Mailing Lists HTAB.pngHTAB.png OpenSSL 3.0 HTAB.pngHTAB.png HTAB.pngHTAB.png

Administrivia[edit]

Site guidelines, legal and admininstrative issues.

Wiki User's Guide, Configuration settings list, MediaWiki FAQ, MediaWiki Mailing List

Reference[edit]

This section contains the automagically generated man pages from the OpenSSL git repository, and similar "man" style reference documentation. The man pages are automatically imported from the OpenSSL git repository and local wiki modifications are submitted as patches.

Usage and Programming[edit]

This section has discussions of practical issues in using OpenSSL

  • Building from Source
Where to find it, the different versions, how to build and install it.
Programming techniques and example code
Use of EVP is preferred for most applications and circumstances
Creating an OpenSSL Engine to use indigenous ECDH ECDSA and HASH Algorithms
More specialized non-EVP usage

Concepts and Theory[edit]

Discussions of basic cryptographic theory and concepts Discussions of common operational issues

Security Advisories[edit]

Feedback and Contributions[edit]

  • If you are unsure as to whether a feature will be useful for the general OpenSSL community please discuss it on the openssl-users mailing list first. Someone may be already working on the same thing or there may be a good reason as to why that feature isn't implemented.
  • Follow the instructions for accessing source code in the appropriate branches. Note that manual pages and the FAQ are maintained with the source code.
  • Submit a pull request for each separate fix (also documented there)
  • Submit a bug report (see second bullet, above) and reference the pull request. Or you can attach the patch to the ticket.
  • Contributing fixes and other improvements to the web site

Internals and Development[edit]

This section is for internal details of primary interest to OpenSSL maintainers and power users