<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    ./config autodetects the platform and such, passing various
    parameters to Configure. So, after you've built the canister, you
    can do as you want.<br>
    <br>
    So, to do this, figure out from ./config what parameters it passes
    to Configure in the presence of the 'fips' argument, then modify the
    command line the packaging script invokes accordingly.<br>
    <br>
    -Kyle H<br>
    <br>
    <div class="moz-cite-prefix">On 2/10/2016 12:47 PM, cloud force
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAEsYawxn1TeuB0xJCEnnxKW2QtaC21T-WdWvm14TbCXnWKz-Bw@mail.gmail.com"
      type="cite">
      <div dir="ltr">Thanks Kyle.
        <div><br>
        </div>
        <div>Yes, for building FIPS canister I did exactly the same
          thing as it mentioned in the security policy doc.</div>
        <div><br>
        </div>
        <div>My questions above were mainly regarding building the
          OpenSSL library itself with the fipscanister.o modules.</div>
        <div><br>
        </div>
        <div>In the doc it said we should just do "<i><b>config fips</b></i>",
          and since the Ubuntu OpenSSL packaging script does not run <i><b>config</b></i>
          script and it run <i><b>Configure</b></i> script instead, I
          was wondering should I still run "./config tips" before run
          the Configure script, or should I just run "Configure fips"
          instead?</div>
        <div><br>
        </div>
        <div>Thanks,</div>
        <div>Rich</div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Wed, Feb 10, 2016 at 12:37 PM, Kyle
          Hamilton <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:aerowolf@gmail.com" target="_blank">aerowolf@gmail.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000"> My understanding is,
              you must follow the steps given in the Security Guide
              *exactly*, with no deviation, in order to produce a
              validated binary of the FIPS canister.  In other words,
              you *must not* try to use Configure when attempting to
              build the FIPS canister because it does not match the
              steps given in the Security Guide.<br>
              <br>
              Once you have the FIPS canister, you can build a version
              of OpenSSL that uses it pretty much indiscriminately (as
              long as you ensure that all the things that fipsld does
              actually happen when it comes time to link).<br>
              <br>
              (I apologize if my knowledge is out of date, I haven't
              been following the FIPS development for a couple of
              years.)<br>
              <br>
              -Kyle H
              <div>
                <div class="h5"><br>
                  <br>
                  <div>On 2/10/2016 12:23 PM, cloud force wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr">Hi Everyone,
                      <div><br>
                      </div>
                      <div>I am trying to build FIPS capable OpenSSL as
                        an Ubuntu 12.04 package.</div>
                      <div><br>
                      </div>
                      <div>From the OpenSSL doc it mentioned we need to
                        do ./config fips in order to build openssl under
                        tips mode. I tried that and it worked well.</div>
                      <div><br>
                      </div>
                      <div>Now I am building the OpenSSL FIPS as a
                        Ubuntu package. I noticed the package manager
                        meta script use the Configure (instead of config
                        script) under the openssl source folder.</div>
                      <div><br>
                      </div>
                      <div>I was wondering should I also do "Configure
                        fips", if I use the Configure script to
                        configure the source tree? What's the
                        relationship between config and Configure
                        scripts?</div>
                      <div><br>
                      </div>
                      <div>Or should I just run ./config fips first and
                        then let the package manager script to run
                        Configure?</div>
                      <div><br>
                      </div>
                      <div>Thanks.</div>
                      <div>Rich</div>
                      <div><br>
                      </div>
                    </div>
                    <br>
                    <fieldset></fieldset>
                    <br>
                  </blockquote>
                  <br>
                </div>
              </div>
            </div>
            <br>
            --<br>
            openssl-users mailing list<br>
            To unsubscribe: <a moz-do-not-send="true"
              href="https://mta.openssl.org/mailman/listinfo/openssl-users"
              rel="noreferrer" target="_blank">https://mta.openssl.org/mailman/listinfo/openssl-users</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
    </blockquote>
    <br>
  </body>
</html>