[openssl-users] Configure and config in openssl source folder

Kyle Hamilton aerowolf at gmail.com
Wed Feb 10 20:57:48 UTC 2016 

./config autodetects the platform and such, passing various parameters
to Configure. So, after you've built the canister, you can do as you want.

So, to do this, figure out from ./config what parameters it passes to
Configure in the presence of the 'fips' argument, then modify the
command line the packaging script invokes accordingly.

-Kyle H

On 2/10/2016 12:47 PM, cloud force wrote:
> Thanks Kyle.
>
> Yes, for building FIPS canister I did exactly the same thing as it
> mentioned in the security policy doc.
>
> My questions above were mainly regarding building the OpenSSL library
> itself with the fipscanister.o modules.
>
> In the doc it said we should just do "/*config fips*/", and since the
> Ubuntu OpenSSL packaging script does not run /*config*/ script and it
> run /*Configure*/ script instead, I was wondering should I still run
> "./config tips" before run the Configure script, or should I just run
> "Configure fips" instead?
>
> Thanks,
> Rich
>
> On Wed, Feb 10, 2016 at 12:37 PM, Kyle Hamilton <aerowolf at gmail.com
> <mailto:aerowolf at gmail.com>> wrote:
>
>     My understanding is, you must follow the steps given in the
>     Security Guide *exactly*, with no deviation, in order to produce a
>     validated binary of the FIPS canister.  In other words, you *must
>     not* try to use Configure when attempting to build the FIPS
>     canister because it does not match the steps given in the Security
>     Guide.
>
>     Once you have the FIPS canister, you can build a version of
>     OpenSSL that uses it pretty much indiscriminately (as long as you
>     ensure that all the things that fipsld does actually happen when
>     it comes time to link).
>
>     (I apologize if my knowledge is out of date, I haven't been
>     following the FIPS development for a couple of years.)
>
>     -Kyle H
>
>
>     On 2/10/2016 12:23 PM, cloud force wrote:
>>     Hi Everyone,
>>
>>     I am trying to build FIPS capable OpenSSL as an Ubuntu 12.04 package.
>>
>>     From the OpenSSL doc it mentioned we need to do ./config fips in
>>     order to build openssl under tips mode. I tried that and it
>>     worked well.
>>
>>     Now I am building the OpenSSL FIPS as a Ubuntu package. I noticed
>>     the package manager meta script use the Configure (instead of
>>     config script) under the openssl source folder.
>>
>>     I was wondering should I also do "Configure fips", if I use the
>>     Configure script to configure the source tree? What's the
>>     relationship between config and Configure scripts?
>>
>>     Or should I just run ./config fips first and then let the package
>>     manager script to run Configure?
>>
>>     Thanks.
>>     Rich
>>
>>
>>
>
>
>     --
>     openssl-users mailing list
>     To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160210/768e6294/attachment.html>

More information about the openssl-users mailing list