Difference between revisions of "Main Page"

From OpenSSLWiki
(Compile a Static OpenSSL Fips Capable Apache2 httpd-2.4.18)
Line 173: Line 173:
Start apache and confirm it is running.
Start apache and confirm it is running.
johjs 04-04-2016 9:40 CST(DST)
johnjs 04-04-2016 9:40 CST(DST)

Revision as of 14:42, 4 April 2016

Insert non-formatted text here

Compiling a Static OpenSSL Fips Capable Apache2 httpd-2.4.18

Below is a step by step instructions on how to compile a Fips Capable Apache2 from source. Fips is compiled into Apache statically. This includes the steps to compile the FIPS module and Openssl. I build a prefork Apache2 because I use a shared PHP5 module.

Install the latest FIPS OpenSSL (below steps)

Download openssl-fips-2.0.12.tar.gz

gunzip openssl-fips-2.0.12.tar.gz

tar -xvf openssl-fips-2.0.12.tar

cd openssl-fips-2.0.12

./config make make install

Download openssl-1.0.2g.tar.gz

gunzip openssl-1.0.2g.tar.gz

tar -xvf openssl-1.0.2g.tar

cd openssl-1.0.2.g

./config shared fips --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/


make install

in /usr/local/ssl/lib there will be two "linked" files

libcrypto.so.1.0.0 -> libcrypto.so

libssl.so.1.0.0 -> libssl.so

Some applications need those link references so I copy all the files (not linked libcrypto.so libssl.so) to a new shared directory /usr/local/ssl/lib/shared recreate the links in shared to libcrypto.so and libssl.so

ln -s /usr/local/ssl/lib/shared/libcrypto.so.1.0.0 /usr/local/ssl/lib/shared/libcrypto.so

ln -s /usr/local/ssl/lib/shared/libssl.so.1.0.0 /usr/local/ssl/lib/shared/libssl.so

Remove the links in /usr/local/ssl/lib

rm libcrypto.so

rm libssl.so

The shared directory is used for application linking. A direct compile for a FIPS application using: -L/usr/local/ssl/lib Will fail if libcrypto.so and libssl.so links are still in /usr/local/ssl/lib

in /home/username (your working directory)

Download httpd.2.4.18.tar.gz

Download pcre-8.38.tar.gz

Download apr-1.5.2.tar.gz

Download apr-util-1.5.4.tar.gz

gunzip httpd.2.4.18.tar.gz

gunzip pcre-8.38.tar.gz

gunzip apr-1.5.2.tar.gz

gunzip apr-util-1.5.4.gz

Install PCRE

tar -xvf pcre-8.38.tar

cd /home/username/pcre-8.38

./configure --prefix=/usr/local/pcre


make install

Install Apache2(httpd) with apr

tar -xvf httpd.2.4.18.tar

cd httpd.2.4.18

cd srclib (subdirectory)

cp /home/username/apr-1.5.2.tar

cp /home/username/apr-util-1.5.4.tar

tar -xvf apr-1.5.2.tar

tar -xvf apr-util-1.5.4.tar

create two links - they are needed when apache compiles

ln -s apr-1.5.2 apr

ln -s apr-util-1.5.4 apr-util

cd .. (back to /home/username/httpd.2.4.18)


the --enable-ssl-staticlib-deps and --enable-mods-static=ssl are to compile the Openssl module STATIC not shared. If you leave them out, it will properly create a working apache2 server EXCEPT when you enable the "SSLFIPS on" in httpd.conf, then apache2 will not start and you will get a FIPS fingerprint error in the logs/error_log file.

Procedure below is to compile OpenSSL as a static module in apache2

The two export(s) below sets the proper FIPS fingerprint variables. The configure compiles a STATIC Openssl (mod_ssl.so) into Apache2.

export CC=/usr/local/ssl/fips-2.0/bin/fipsld

export FIPSLD_CC=/usr/bin/gcc

execute configure with switches a space between each switch

./configure --prefix=/usr/local/apache2 --with-mpm=prefork --enable-ssl --with-ssl=/usr/local/ssl --enable-ssl-staticlib-deps --enable-mods-static=ssl --with-pcre=/usr/local/pcre --with-included-apr


make install

I need PHP(with mysql) - so I built the share module libphp5.so and placed a copy in /usr/local/apache2/modules/

In the httpd.conf file "Loadmodule ssl_module modules/mod_ssl.so" has to be commented out. In a shared version it must be active. The --with-mpm=prefork option allows me to use a compiled shared PHP5 module, the "event"(threaded) version didn't load PHP properly. There are some other changes needed in the httpd.conf file (on internet) on allowing Apache2 to recognize the .php extension.

to start: /usr/local/apache2/bin/apachectl start

to stop: /usr/local/apache2/bin/apachectl stop

Start apache and confirm it is running.

johnjs 04-04-2016 9:40 CST(DST)