[openssl-users] Configure and config in openssl source folder

cloud force cloud.force858 at gmail.com
Wed Feb 10 20:47:11 UTC 2016

Thanks Kyle.

Yes, for building FIPS canister I did exactly the same thing as it
mentioned in the security policy doc.

My questions above were mainly regarding building the OpenSSL library
itself with the fipscanister.o modules.

In the doc it said we should just do "*config fips*", and since the Ubuntu
OpenSSL packaging script does not run *config* script and it run *Configure*
script instead, I was wondering should I still run "./config tips" before
run the Configure script, or should I just run "Configure fips" instead?


On Wed, Feb 10, 2016 at 12:37 PM, Kyle Hamilton <aerowolf at gmail.com> wrote:

> My understanding is, you must follow the steps given in the Security Guide
> *exactly*, with no deviation, in order to produce a validated binary of the
> FIPS canister.  In other words, you *must not* try to use Configure when
> attempting to build the FIPS canister because it does not match the steps
> given in the Security Guide.
> Once you have the FIPS canister, you can build a version of OpenSSL that
> uses it pretty much indiscriminately (as long as you ensure that all the
> things that fipsld does actually happen when it comes time to link).
> (I apologize if my knowledge is out of date, I haven't been following the
> FIPS development for a couple of years.)
> -Kyle H
> On 2/10/2016 12:23 PM, cloud force wrote:
> Hi Everyone,
> I am trying to build FIPS capable OpenSSL as an Ubuntu 12.04 package.
> From the OpenSSL doc it mentioned we need to do ./config fips in order to
> build openssl under tips mode. I tried that and it worked well.
> Now I am building the OpenSSL FIPS as a Ubuntu package. I noticed the
> package manager meta script use the Configure (instead of config script)
> under the openssl source folder.
> I was wondering should I also do "Configure fips", if I use the Configure
> script to configure the source tree? What's the relationship between config
> and Configure scripts?
> Or should I just run ./config fips first and then let the package manager
> script to run Configure?
> Thanks.
> Rich
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160210/13089135/attachment-0001.html>

More information about the openssl-users mailing list