<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
./config autodetects the platform and such, passing various
parameters to Configure. So, after you've built the canister, you
can do as you want.<br>
<br>
So, to do this, figure out from ./config what parameters it passes
to Configure in the presence of the 'fips' argument, then modify the
command line the packaging script invokes accordingly.<br>
<br>
-Kyle H<br>
<br>
<div class="moz-cite-prefix">On 2/10/2016 12:47 PM, cloud force
wrote:<br>
</div>
<blockquote
cite="mid:CAEsYawxn1TeuB0xJCEnnxKW2QtaC21T-WdWvm14TbCXnWKz-Bw@mail.gmail.com"
type="cite">
<div dir="ltr">Thanks Kyle.
<div><br>
</div>
<div>Yes, for building FIPS canister I did exactly the same
thing as it mentioned in the security policy doc.</div>
<div><br>
</div>
<div>My questions above were mainly regarding building the
OpenSSL library itself with the fipscanister.o modules.</div>
<div><br>
</div>
<div>In the doc it said we should just do "<i><b>config fips</b></i>",
and since the Ubuntu OpenSSL packaging script does not run <i><b>config</b></i>
script and it run <i><b>Configure</b></i> script instead, I
was wondering should I still run "./config tips" before run
the Configure script, or should I just run "Configure fips"
instead?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Rich</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Wed, Feb 10, 2016 at 12:37 PM, Kyle
Hamilton <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:aerowolf@gmail.com" target="_blank">aerowolf@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> My understanding is,
you must follow the steps given in the Security Guide
*exactly*, with no deviation, in order to produce a
validated binary of the FIPS canister. In other words,
you *must not* try to use Configure when attempting to
build the FIPS canister because it does not match the
steps given in the Security Guide.<br>
<br>
Once you have the FIPS canister, you can build a version
of OpenSSL that uses it pretty much indiscriminately (as
long as you ensure that all the things that fipsld does
actually happen when it comes time to link).<br>
<br>
(I apologize if my knowledge is out of date, I haven't
been following the FIPS development for a couple of
years.)<br>
<br>
-Kyle H
<div>
<div class="h5"><br>
<br>
<div>On 2/10/2016 12:23 PM, cloud force wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Hi Everyone,
<div><br>
</div>
<div>I am trying to build FIPS capable OpenSSL as
an Ubuntu 12.04 package.</div>
<div><br>
</div>
<div>From the OpenSSL doc it mentioned we need to
do ./config fips in order to build openssl under
tips mode. I tried that and it worked well.</div>
<div><br>
</div>
<div>Now I am building the OpenSSL FIPS as a
Ubuntu package. I noticed the package manager
meta script use the Configure (instead of config
script) under the openssl source folder.</div>
<div><br>
</div>
<div>I was wondering should I also do "Configure
fips", if I use the Configure script to
configure the source tree? What's the
relationship between config and Configure
scripts?</div>
<div><br>
</div>
<div>Or should I just run ./config fips first and
then let the package manager script to run
Configure?</div>
<div><br>
</div>
<div>Thanks.</div>
<div>Rich</div>
<div><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
</div>
</div>
</div>
<br>
--<br>
openssl-users mailing list<br>
To unsubscribe: <a moz-do-not-send="true"
href="https://mta.openssl.org/mailman/listinfo/openssl-users"
rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
</body>
</html>