[openssl-users] Configure and config in openssl source folder

Kyle Hamilton aerowolf at gmail.com
Wed Feb 10 21:18:15 UTC 2016


The FIPS module will explicitly deny any attempt to use unapproved
algorithms when it's in FIPS mode.  It's only when it's not in FIPS mode
that you might be able to use the unapproved algorithms, because the
generated library will use the original code and not the FIPS canister.

So, if you want to disable the use of rc4 even when it's not in FIPS
mode, pass no-rc4.  FIPS mode will disable it as a matter of course.

-Kyle H

On 2/10/2016 1:08 PM, cloud force wrote:
> Thanks Kyle. So basically I can just use Configure for building FIPS
> capable OpenSSL library, as long as I pass the right parameters to it
> right?
>
> Also if I use Configure, do I need to explicitly turn off the non-FIPS
> approved algorithms, like passing "no-rc4" as a parameter to the
> Configure command?
>
> I understand it's not necessary do that if I use config script.
>
> Thanks,
> Rich
>
>
> On Wed, Feb 10, 2016 at 12:57 PM, Kyle Hamilton <aerowolf at gmail.com
> <mailto:aerowolf at gmail.com>> wrote:
>
>     ./config autodetects the platform and such, passing various
>     parameters to Configure. So, after you've built the canister, you
>     can do as you want.
>
>     So, to do this, figure out from ./config what parameters it passes
>     to Configure in the presence of the 'fips' argument, then modify
>     the command line the packaging script invokes accordingly.
>
>     -Kyle H
>
>
>     On 2/10/2016 12:47 PM, cloud force wrote:
>>     Thanks Kyle.
>>
>>     Yes, for building FIPS canister I did exactly the same thing as
>>     it mentioned in the security policy doc.
>>
>>     My questions above were mainly regarding building the OpenSSL
>>     library itself with the fipscanister.o modules.
>>
>>     In the doc it said we should just do "/*config fips*/", and since
>>     the Ubuntu OpenSSL packaging script does not run /*config*/
>>     script and it run /*Configure*/ script instead, I was wondering
>>     should I still run "./config tips" before run the Configure
>>     script, or should I just run "Configure fips" instead?
>>
>>     Thanks,
>>     Rich
>>
>>     On Wed, Feb 10, 2016 at 12:37 PM, Kyle Hamilton
>>     <aerowolf at gmail.com <mailto:aerowolf at gmail.com>> wrote:
>>
>>         My understanding is, you must follow the steps given in the
>>         Security Guide *exactly*, with no deviation, in order to
>>         produce a validated binary of the FIPS canister.  In other
>>         words, you *must not* try to use Configure when attempting to
>>         build the FIPS canister because it does not match the steps
>>         given in the Security Guide.
>>
>>         Once you have the FIPS canister, you can build a version of
>>         OpenSSL that uses it pretty much indiscriminately (as long as
>>         you ensure that all the things that fipsld does actually
>>         happen when it comes time to link).
>>
>>         (I apologize if my knowledge is out of date, I haven't been
>>         following the FIPS development for a couple of years.)
>>
>>         -Kyle H
>>
>>
>>         On 2/10/2016 12:23 PM, cloud force wrote:
>>>         Hi Everyone,
>>>
>>>         I am trying to build FIPS capable OpenSSL as an Ubuntu 12.04
>>>         package.
>>>
>>>         From the OpenSSL doc it mentioned we need to do ./config
>>>         fips in order to build openssl under tips mode. I tried that
>>>         and it worked well.
>>>
>>>         Now I am building the OpenSSL FIPS as a Ubuntu package. I
>>>         noticed the package manager meta script use the Configure
>>>         (instead of config script) under the openssl source folder.
>>>
>>>         I was wondering should I also do "Configure fips", if I use
>>>         the Configure script to configure the source tree? What's
>>>         the relationship between config and Configure scripts?
>>>
>>>         Or should I just run ./config fips first and then let the
>>>         package manager script to run Configure?
>>>
>>>         Thanks.
>>>         Rich
>>>
>>>
>>>
>>
>>
>>         --
>>         openssl-users mailing list
>>         To unsubscribe:
>>         https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>>
>>
>>
>
>
>     --
>     openssl-users mailing list
>     To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160210/4f57abb0/attachment.html>


More information about the openssl-users mailing list