[openssl-users] Configure and config in openssl source folder

cloud force cloud.force858 at gmail.com
Wed Feb 10 21:08:35 UTC 2016


Thanks Kyle. So basically I can just use Configure for building FIPS
capable OpenSSL library, as long as I pass the right parameters to it right?

Also if I use Configure, do I need to explicitly turn off the non-FIPS
approved algorithms, like passing "no-rc4" as a parameter to the Configure
command?

I understand it's not necessary do that if I use config script.

Thanks,
Rich


On Wed, Feb 10, 2016 at 12:57 PM, Kyle Hamilton <aerowolf at gmail.com> wrote:

> ./config autodetects the platform and such, passing various parameters to
> Configure. So, after you've built the canister, you can do as you want.
>
> So, to do this, figure out from ./config what parameters it passes to
> Configure in the presence of the 'fips' argument, then modify the command
> line the packaging script invokes accordingly.
>
> -Kyle H
>
>
> On 2/10/2016 12:47 PM, cloud force wrote:
>
> Thanks Kyle.
>
> Yes, for building FIPS canister I did exactly the same thing as it
> mentioned in the security policy doc.
>
> My questions above were mainly regarding building the OpenSSL library
> itself with the fipscanister.o modules.
>
> In the doc it said we should just do "*config fips*", and since the
> Ubuntu OpenSSL packaging script does not run *config* script and it run
> *Configure* script instead, I was wondering should I still run "./config
> tips" before run the Configure script, or should I just run "Configure
> fips" instead?
>
> Thanks,
> Rich
>
> On Wed, Feb 10, 2016 at 12:37 PM, Kyle Hamilton <aerowolf at gmail.com>
> wrote:
>
>> My understanding is, you must follow the steps given in the Security
>> Guide *exactly*, with no deviation, in order to produce a validated binary
>> of the FIPS canister.  In other words, you *must not* try to use Configure
>> when attempting to build the FIPS canister because it does not match the
>> steps given in the Security Guide.
>>
>> Once you have the FIPS canister, you can build a version of OpenSSL that
>> uses it pretty much indiscriminately (as long as you ensure that all the
>> things that fipsld does actually happen when it comes time to link).
>>
>> (I apologize if my knowledge is out of date, I haven't been following the
>> FIPS development for a couple of years.)
>>
>> -Kyle H
>>
>>
>> On 2/10/2016 12:23 PM, cloud force wrote:
>>
>> Hi Everyone,
>>
>> I am trying to build FIPS capable OpenSSL as an Ubuntu 12.04 package.
>>
>> From the OpenSSL doc it mentioned we need to do ./config fips in order to
>> build openssl under tips mode. I tried that and it worked well.
>>
>> Now I am building the OpenSSL FIPS as a Ubuntu package. I noticed the
>> package manager meta script use the Configure (instead of config script)
>> under the openssl source folder.
>>
>> I was wondering should I also do "Configure fips", if I use the Configure
>> script to configure the source tree? What's the relationship between config
>> and Configure scripts?
>>
>> Or should I just run ./config fips first and then let the package manager
>> script to run Configure?
>>
>> Thanks.
>> Rich
>>
>>
>>
>>
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>>
>
>
>
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160210/7565a46e/attachment-0001.html>


More information about the openssl-users mailing list