[openssl-users] Configure and config in openssl source folder

Steve Marquess marquess at openssl.com
Wed Feb 10 20:47:46 UTC 2016

On 02/10/2016 03:23 PM, cloud force wrote:
> Hi Everyone,
> I am trying to build FIPS capable OpenSSL as an Ubuntu 12.04 package.
> From the OpenSSL doc it mentioned we need to do ./config fips in order
> to build openssl under tips mode. I tried that and it worked well.
> Now I am building the OpenSSL FIPS as a Ubuntu package. I noticed the
> package manager meta script use the Configure (instead of config script)
> under the openssl source folder.
> I was wondering should I also do "Configure fips", if I use the
> Configure script to configure the source tree? What's the relationship
> between config and Configure scripts?
> Or should I just run ./config fips first and then let the package
> manager script to run Configure?

Well, if you're building OpenSSL proper, as a "FIPS capable" OpenSSL,
then you can do what you want.

Building of the FIPS module beforehand that the "FIPS capable" needs to
reference is a different matter. The sad fact is that the mandated build
procedure for creating ("installing") the OpenSSL FIPS module conflicts
rather violently with typical industry software engineering practice.

That process mandates, as an metaphysical/ideological "pixie dust"
requirement, that the specifically documented commands must be used
exactly as given. It is not acceptable to do something logically and
technically equivalent, such as "Configure" instead of "config". Many
users want to force that rigidly mandated process into an existing
in-house process, with ugly results.

Since you're required to start with the official tarball, and aren't
allowed to change the contents of the tarball, not even a teeny tiny
little bit, there is no point in dumping the tarball contents into your
local source code management/version control system. My recommendation
is that one time only you conduct a solemn candlelit ceremony in which
the build is manually performed in profound and reverential observance
of the mandated procedure. Then take the resulting fipscanister.* and
fips_premain.* files and version control those from then on out. Don't
try to continually rebuild the FIPS module from source that cannot be
modified anyway.

-Steve M.

Steve Marquess
OpenSSL Validation Services, Inc.
1829 Mount Ephraim Road
Adamstown, MD  21710
+1 877 673 6775 s/b
+1 301 874 2571 direct
marquess at openssl.com
gpg/pgp key: http://openssl.com/docs/0x6D1892F5.asc

More information about the openssl-users mailing list