<div dir="ltr">Thanks Kyle.<div><br></div><div>Yes, for building FIPS canister I did exactly the same thing as it mentioned in the security policy doc.</div><div><br></div><div>My questions above were mainly regarding building the OpenSSL library itself with the fipscanister.o modules.</div><div><br></div><div>In the doc it said we should just do "<i><b>config fips</b></i>", and since the Ubuntu OpenSSL packaging script does not run <i><b>config</b></i> script and it run <i><b>Configure</b></i> script instead, I was wondering should I still run "./config tips" before run the Configure script, or should I just run "Configure fips" instead?</div><div><br></div><div>Thanks,</div><div>Rich</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Feb 10, 2016 at 12:37 PM, Kyle Hamilton <span dir="ltr"><<a href="mailto:aerowolf@gmail.com" target="_blank">aerowolf@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
My understanding is, you must follow the steps given in the Security
Guide *exactly*, with no deviation, in order to produce a validated
binary of the FIPS canister. In other words, you *must not* try to
use Configure when attempting to build the FIPS canister because it
does not match the steps given in the Security Guide.<br>
<br>
Once you have the FIPS canister, you can build a version of OpenSSL
that uses it pretty much indiscriminately (as long as you ensure
that all the things that fipsld does actually happen when it comes
time to link).<br>
<br>
(I apologize if my knowledge is out of date, I haven't been
following the FIPS development for a couple of years.)<br>
<br>
-Kyle H<div><div class="h5"><br>
<br>
<div>On 2/10/2016 12:23 PM, cloud force
wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Everyone,
<div><br>
</div>
<div>I am trying to build FIPS capable OpenSSL as an Ubuntu
12.04 package.</div>
<div><br>
</div>
<div>From the OpenSSL doc it mentioned we need to do ./config
fips in order to build openssl under tips mode. I tried that
and it worked well.</div>
<div><br>
</div>
<div>Now I am building the OpenSSL FIPS as a Ubuntu package. I
noticed the package manager meta script use the Configure
(instead of config script) under the openssl source folder.</div>
<div><br>
</div>
<div>I was wondering should I also do "Configure fips", if I use
the Configure script to configure the source tree? What's the
relationship between config and Configure scripts?</div>
<div><br>
</div>
<div>Or should I just run ./config fips first and then let the
package manager script to run Configure?</div>
<div><br>
</div>
<div>Thanks.</div>
<div>Rich</div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
</div></div></div>
<br>--<br>
openssl-users mailing list<br>
To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
<br></blockquote></div><br></div>