Difference between revisions of "Main Page"

From OpenSSLWiki
(Usage and Programming)
(Compile a Static OpenSSL Fips Capable Apache2 httpd-2.4.18)
Line 1: Line 1:
If this is your first visit or to get an account please see the [[Welcome]] page. Your participation and [[Contributions]] are valued.
+
<nowiki>Insert non-formatted text here</nowiki>
 +
== Compiling a Static OpenSSL Fips Capable Apache2 httpd-2.4.18 ==
  
This wiki is intended as a place for collecting, organizing, and refining useful information about OpenSSL that is currently strewn among multiple locations and formats.
+
Below is a step by step instructions on how to compile a Fips Capable Apache2
 +
from source. Fips is compiled into Apache statically. This includes the steps
 +
to compile the FIPS module and Openssl. I build a prefork Apache2 because I use
 +
a shared PHP5 module.
  
== OpenSSL Quick Links ==
+
Install the latest FIPS OpenSSL (below steps)
  
  <TABLE border=0>
+
Download openssl-fips-2.0.12.tar.gz
    <TR>
+
        <TD>[[OpenSSL Overview]]</TD>
+
gunzip openssl-fips-2.0.12.tar.gz
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 
        <TD>[[Compilation and Installation]]</TD>
 
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 
        <TD>[[Internals]]</TD>
 
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 
        <TD>[[Mailing Lists]] </TD>
 
      </TR>
 
      <TR>
 
        <TD>[[libcrypto API]]</TD>
 
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 
        <TD>[[libssl API]]</TD>
 
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 
        <TD>[[Examples]] </TD>
 
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 
        <TD>[[Documentation Index|Index of all API functions]]</TD>
 
      </TR>
 
      <TR>
 
        <TD>[[License]] </TD>
 
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 
        <TD>[[Command Line Utilities]]</TD>
 
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 
        <TD>[[Related Links]]</TD>
 
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 
        <TD>[[SSL and TLS Protocols]]</TD>
 
      </TR>
 
      <TR>
 
        <TD>[[1.1 API Changes]]</TD>
 
        <TD>[[Image:HTAB.png]][[Image:HTAB.png]]</TD>
 
      </TR>
 
  
  </TABLE>
+
tar -xvf openssl-fips-2.0.12.tar
  
== Administrivia ==
+
cd openssl-fips-2.0.12
Site guidelines, legal and admininstrative issues.
 
:* [[Basic rules]], [[Commercial Product Disclaimer]], [[Contributions]], [[Copyright]], [[License]]
 
:* Using This Wiki
 
:: [http://meta.wikimedia.org/wiki/Help:Contents Wiki User's Guide], [http://www.mediawiki.org/wiki/Manual:Configuration_settings Configuration settings list], [http://www.mediawiki.org/wiki/Manual:FAQ MediaWiki FAQ], [https://lists.wikimedia.org/mailman/listinfo/mediawiki-announce MediaWiki Mailing List]
 
  
== Reference ==
+
This section contains the automagically generated man pages from the OpenSSL git repository, and similar "man" style reference documentation. The man pages are automatically imported from the OpenSSL git repository and local wiki modifications are submitted as patches.
+
./config
:* OpenSSL Manual Pages
+
make
::* [[Manual:Openssl(1)]], [[Manual:Ssl(3)]], [[Manual:Crypto(3)]], [[Documentation Index]]
+
make install
:: If you wish to edit any of the Manual page content please refer to the [[Guidelines for Manual Page Authors]] page.
+
:* [[API]], [[Libcrypto API]], [[Libssl API]]
+
Download openssl-1.0.2g.tar.gz
:* [[FIPS mode()]], [[FIPS_mode_set()]]
+
 +
gunzip openssl-1.0.2g.tar.gz
  
== Usage and Programming ==
+
tar -xvf openssl-1.0.2g.tar
This section has discussions of practical issues in using OpenSSL
 
:* Building from Source
 
:: Where to find it, the different versions, how to build and install it.
 
:* [[OpenSSL Overview]]
 
:* [[Versioning]]
 
:* [[Compilation and Installation]]
 
:* [[EVP]]
 
:: Programming techniques and example code
 
:: Use of EVP is preferred for most applications and circumstances
 
::* [[EVP Asymmetric Encryption and Decryption of an Envelope]]
 
::* [[EVP Authenticated Encryption and Decryption]]
 
::* [[EVP Symmetric Encryption and Decryption]]
 
::* [[EVP Key and Parameter Generation]]
 
::* [[EVP Key Agreement]]
 
::* [[EVP Message Digests]]
 
::* [[EVP Key Derivation]]
 
::* [[EVP Signing and Verifying|EVP Signing and Verifying (including MAC codes)]]
 
:* [[STACK API]]
 
:* Low Level APIs
 
::[[Creating an OpenSSL Engine to use indigenous ECDH ECDSA and HASH Algorithms]]
 
:: More specialized non-EVP usage
 
::* [[Diffie-Hellman parameters]]
 
:* [[FIPS Mode]]
 
:* [[Simple TLS Server]]
 
  
== Concepts and Theory ==
+
cd openssl-1.0.2.g
Discussions of basic cryptographic theory and concepts
 
Discussions of common operational issues
 
:* [[Base64]]
 
:* [http://wiki.openssl.org/index.php/Category:FIPS_140 FIPS 140-2]
 
:* [[Random Numbers]]
 
:* [[Diffie Hellman]]
 
:* [[Elliptic Curve Diffie Hellman]]
 
:* [[Elliptic Curve Cryptography]]
 
  
== Security Advisories ==
+
:* [https://www.openssl.org/about/secpolicy.html OpenSSL Security Policy]
+
./config shared fips --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/
:* [https://www.openssl.org/news/vulnerabilities.html OpenSSL Vulnerabilities List]
 
:* [[Security_Advisories|Security Advisories Additional Information]]
 
  
== Feedback and Contributions ==
+
make
:* [https://www.openssl.org/support/faq.html#BUILD18 How to notify us of suspected security vulnerabilities]
 
:* [https://www.openssl.org/support/rt.html How to report bugs and patches, other than for suspected vulnerabilities]
 
:* [[Contributions|General background on source and documentation contributions - '''must read''']]
 
:* Contributing code fixes, other than for suspected vulnerabilities, as well as fixes and other improvements to manual pages:
 
::* If you are unsure as to whether a feature will be useful for the general OpenSSL community please discuss it on the [https://www.openssl.org/support/community.html openssl-dev mailing list] first.  Someone may be already working on the same thing or there may be a good reason as to why that feature isn't implemented.
 
::* Follow the [[Use of Git#Use_of_Git_with_OpenSSL_source_tree|instructions for accessing source code]] in the appropriate branches. Note that manual pages and the FAQ are maintained with the source code.
 
::* Submit a pull request for each separate fix (also documented [[Use of Git#Use_of_Git_with_OpenSSL_source_tree|there]])
 
::* Submit a bug report (see second bullet, above) and reference the pull request. Or you can attach the patch to the ticket.
 
:* Contributing fixes and other improvements to the web site
 
::* Follow the [[Use_of_Git#Use_of_Git_with_the_OpenSSL_web_site|instructions for accessing web site sources]]
 
::* Create a patch (also documented [[Use_of_Git#Use_of_Git_with_the_OpenSSL_web_site|there]])
 
::* Submit a bug report and add the patch as an attachment
 
:* [[Developing For OpenSSL]]
 
:* [[KnownPatches|Known patches not part of OpenSSL]]
 
:* [[Welcome|Contributing to this wiki]]
 
  
== Internals and Development ==
+
make install
This section is for internal details of primary interest to OpenSSL maintainers and power users
 
:* [[Code reformatting]]
 
  
:* [[Internals]]
+
:* [[Code Quality]]
+
in /usr/local/ssl/lib there will be two "linked" files
:* [[Static and Dynamic Analysis]]
+
 
:* [[OCB|OCB Licence details]]
+
libcrypto.so.1.0.0 -> libcrypto.so
:* [[Defect and Feature Review Process]]
+
 
:* [[Unit Testing]] (includes other automated testing information)
+
libssl.so.1.0.0 -> libssl.so
 +
 +
Some applications need those link references so I
 +
copy all the files (not linked libcrypto.so libssl.so) to
 +
a new shared directory /usr/local/ssl/lib/shared
 +
recreate the links in shared to libcrypto.so and libssl.so
 +
 +
ln -s /usr/local/ssl/lib/shared/libcrypto.so.1.0.0 /usr/local/ssl/lib/shared/libcrypto.so
 +
 
 +
ln -s /usr/local/ssl/lib/shared/libssl.so.1.0.0 /usr/local/ssl/lib/shared/libssl.so
 +
 +
Remove the links in /usr/local/ssl/lib
 +
 
 +
rm libcrypto.so
 +
 
 +
rm libssl.so
 +
 
 +
 
 +
The shared directory is used for application linking.
 +
A direct compile for a FIPS application using: -L/usr/local/ssl/lib
 +
Will fail if libcrypto.so and libssl.so links are still in /usr/local/ssl/lib
 +
 
 +
in /home/username (your working directory)
 +
 
 +
Download httpd.2.4.18.tar.gz
 +
 
 +
Download pcre-8.38.tar.gz
 +
 
 +
Download apr-1.5.2.tar.gz
 +
 
 +
Download apr-util-1.5.4.tar.gz
 +
 
 +
 
 +
gunzip httpd.2.4.18.tar.gz
 +
 
 +
gunzip pcre-8.38.tar.gz
 +
 
 +
gunzip apr-1.5.2.tar.gz
 +
 
 +
gunzip apr-util-1.5.4.gz
 +
 
 +
 
 +
Install PCRE
 +
 
 +
tar -xvf pcre-8.38.tar
 +
 
 +
cd /home/username/pcre-8.38
 +
 
 +
./configure --prefix=/usr/local/pcre
 +
 
 +
make
 +
 
 +
make install
 +
 
 +
 
 +
Install Apache2(httpd) with apr
 +
 
 +
tar -xvf httpd.2.4.18.tar
 +
 
 +
cd httpd.2.4.18
 +
 
 +
cd srclib (subdirectory)
 +
 
 +
cp /home/username/apr-1.5.2.tar
 +
 
 +
cp /home/username/apr-util-1.5.4.tar
 +
 
 +
tar -xvf apr-1.5.2.tar
 +
 
 +
tar -xvf apr-util-1.5.4.tar
 +
 
 +
 
 +
create two links - they are needed when apache compiles
 +
 
 +
ln -s apr-1.5.2 apr
 +
 
 +
ln -s apr-util-1.5.4 apr-util
 +
 
 +
 
 +
cd .. (back to /home/username/httpd.2.4.18)
 +
 
 +
NOTE:  
 +
 
 +
the --enable-ssl-staticlib-deps and --enable-mods-static=ssl
 +
are to compile the Openssl module STATIC not shared.
 +
If you leave them out, it will properly create a working apache2
 +
server EXCEPT when you enable the "SSLFIPS on" in httpd.conf, then
 +
apache2 will not start and you will get a FIPS fingerprint error
 +
in the logs/error_log file.
 +
 
 +
Procedure below is to compile OpenSSL as a static module in apache2
 +
 
 +
The two export(s) below sets the proper FIPS fingerprint variables.
 +
The configure compiles a STATIC Openssl (mod_ssl.so) into Apache2.
 +
 
 +
export CC=/usr/local/ssl/fips-2.0/bin/fipsld
 +
 
 +
export FIPSLD_CC=/usr/bin/gcc
 +
 
 +
execute configure with switches a space between each switch
 +
 
 +
./configure --prefix=/usr/local/apache2
 +
    --with-mpm=prefork
 +
    --enable-ssl
 +
    --with-ssl=/usr/local/ssl
 +
    --enable-ssl-staticlib-deps
 +
    --enable-mods-static=ssl
 +
    --with-pcre=/usr/local/pcre
 +
    --with-included-apr
 +
 +
make
 +
 
 +
make install
 +
 
 +
 
 +
I need PHP(with mysql) - so I built the share module libphp5.so
 +
and placed a copy in /usr/local/apache2/modules/
 +
 
 +
In the httpd.conf file "Loadmodule ssl_module modules/mod_ssl.so"
 +
has to be commented out. In a shared version it must be active.
 +
The --with-mpm=prefork option allows me to use a compiled shared
 +
PHP5 module, the "event"(threaded) version didn't load PHP properly.
 +
There are some other changes needed in the httpd.conf file (on internet)
 +
on allowing Apache2 to recognize the .php extension.
 +
 
 +
to start: /usr/local/apache2/bin/apachectl start
 +
 
 +
to stop: /usr/local/apache2/bin/apachectl stop
 +
 
 +
Start apache and confirm it is running.
 +
 
 +
johjs 04-04-2016 9:40 CST(DST)

Revision as of 14:39, 4 April 2016

Insert non-formatted text here

Compiling a Static OpenSSL Fips Capable Apache2 httpd-2.4.18

Below is a step by step instructions on how to compile a Fips Capable Apache2 from source. Fips is compiled into Apache statically. This includes the steps to compile the FIPS module and Openssl. I build a prefork Apache2 because I use a shared PHP5 module.

Install the latest FIPS OpenSSL (below steps)

Download openssl-fips-2.0.12.tar.gz

gunzip openssl-fips-2.0.12.tar.gz

tar -xvf openssl-fips-2.0.12.tar

cd openssl-fips-2.0.12


./config make make install

Download openssl-1.0.2g.tar.gz

gunzip openssl-1.0.2g.tar.gz

tar -xvf openssl-1.0.2g.tar

cd openssl-1.0.2.g


./config shared fips --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/

make

make install


in /usr/local/ssl/lib there will be two "linked" files

libcrypto.so.1.0.0 -> libcrypto.so

libssl.so.1.0.0 -> libssl.so

Some applications need those link references so I copy all the files (not linked libcrypto.so libssl.so) to a new shared directory /usr/local/ssl/lib/shared recreate the links in shared to libcrypto.so and libssl.so

ln -s /usr/local/ssl/lib/shared/libcrypto.so.1.0.0 /usr/local/ssl/lib/shared/libcrypto.so

ln -s /usr/local/ssl/lib/shared/libssl.so.1.0.0 /usr/local/ssl/lib/shared/libssl.so

Remove the links in /usr/local/ssl/lib

rm libcrypto.so

rm libssl.so


The shared directory is used for application linking. A direct compile for a FIPS application using: -L/usr/local/ssl/lib Will fail if libcrypto.so and libssl.so links are still in /usr/local/ssl/lib

in /home/username (your working directory)

Download httpd.2.4.18.tar.gz

Download pcre-8.38.tar.gz

Download apr-1.5.2.tar.gz

Download apr-util-1.5.4.tar.gz


gunzip httpd.2.4.18.tar.gz

gunzip pcre-8.38.tar.gz

gunzip apr-1.5.2.tar.gz

gunzip apr-util-1.5.4.gz


Install PCRE

tar -xvf pcre-8.38.tar

cd /home/username/pcre-8.38

./configure --prefix=/usr/local/pcre

make

make install


Install Apache2(httpd) with apr

tar -xvf httpd.2.4.18.tar

cd httpd.2.4.18

cd srclib (subdirectory)

cp /home/username/apr-1.5.2.tar

cp /home/username/apr-util-1.5.4.tar

tar -xvf apr-1.5.2.tar

tar -xvf apr-util-1.5.4.tar


create two links - they are needed when apache compiles

ln -s apr-1.5.2 apr

ln -s apr-util-1.5.4 apr-util


cd .. (back to /home/username/httpd.2.4.18)

NOTE:

the --enable-ssl-staticlib-deps and --enable-mods-static=ssl are to compile the Openssl module STATIC not shared. If you leave them out, it will properly create a working apache2 server EXCEPT when you enable the "SSLFIPS on" in httpd.conf, then apache2 will not start and you will get a FIPS fingerprint error in the logs/error_log file.

Procedure below is to compile OpenSSL as a static module in apache2

The two export(s) below sets the proper FIPS fingerprint variables. The configure compiles a STATIC Openssl (mod_ssl.so) into Apache2.

export CC=/usr/local/ssl/fips-2.0/bin/fipsld

export FIPSLD_CC=/usr/bin/gcc

execute configure with switches a space between each switch

./configure --prefix=/usr/local/apache2 --with-mpm=prefork --enable-ssl --with-ssl=/usr/local/ssl --enable-ssl-staticlib-deps --enable-mods-static=ssl --with-pcre=/usr/local/pcre --with-included-apr

make

make install


I need PHP(with mysql) - so I built the share module libphp5.so and placed a copy in /usr/local/apache2/modules/

In the httpd.conf file "Loadmodule ssl_module modules/mod_ssl.so" has to be commented out. In a shared version it must be active. The --with-mpm=prefork option allows me to use a compiled shared PHP5 module, the "event"(threaded) version didn't load PHP properly. There are some other changes needed in the httpd.conf file (on internet) on allowing Apache2 to recognize the .php extension.

to start: /usr/local/apache2/bin/apachectl start

to stop: /usr/local/apache2/bin/apachectl stop

Start apache and confirm it is running.

johjs 04-04-2016 9:40 CST(DST)