[openssl-dev] Openssl 1.0.2c include the FIPS 140-2 Object Module
Jan Ehrhardt
phpdev at ehrhardt.nl
Fri Aug 14 14:22:51 UTC 2015
Dr. Matthias St. Pierre in gmane.comp.encryption.openssl.devel (Fri, 14
Aug 2015 08:12:58 +0200):
>You say that FIPS 140-2 was broken by the introduction of applink.c .
>
>However the applink.c module was introduced way back in 2004 and nevertheless
>OpenSSL 1.0.1 and the FIPS 2.0.9 module built happily together on Windows ever since.
>(and you can see in the build logs that '-DOPENSSL_USE_APPLINK' appears a lot)
I guess there was a change from optional (in VC9/VC11) to required in
VC14, but only for the 1.0.2 branch. The PHP devs were the first to notice
and included applink.c in the VS2015/VC14 builds of PHP7. Apachelounge
followed by including applink.c in the VS2015/VC14 builds of Apache
2.4.16. Then I tried to compile OpenSSL 1.0.2c + FIPS 2.0.9 with VC14 and
ran into the error.
>Even OpenSSL 1.0.2 and FIPS 2.0.9 build together perfectly on our Windows machines
>with VS2012. Only after migrating to VS2015 we started to have this problem.
True. But the Windows world is moving to VS2015/VC14, so OpenSSL has to
follow. I have a faint recollection that OpenSSL 1.0.2a still had FIPS
support. If that is the case, maybe you can track down where it went
wrong.
Jan
PS. We are not obliged to use a FIPS compliant OpenSSL, so I did not
investigate further. And, besides that, we are still running OpenSSL
1.0.1.
More information about the openssl-dev
mailing list