OpenSSL 1.0.1e failed in FIPS mode

Question

I am compiling OpenSSL with FIPS.

When I tried running openssl binary in FIPS mode by exporting OPENSSL_FIPS=1, it is giving below error,

47657709811344:error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:232:

My platform is Linux Suse.

Please help.

EDIT 1:

I am using below command to build

./Configure no-idea fips --prefix=build/Linux.2.6.16_x86-64_gcc-4.1.2/result  --with-fipslibdir=Current/lib/Linux.2.6.16_x86-64_gcc-4.1.2/ --with-fipsdir=Current linux-x86_64 --openssldir=/opt/VRTSssl shared no-zlib no-sse2 no-ec2m

make depend ; make ; make install

Answer 1

make depend ; make ; make install

Do a make all rather than just make. One of the issues here is make install builds things rather than just installing things. Its broken other platforms in the past, such as Android. One way I know to avoid the building of things during install is to issue the make all.

Another bad thing about the OpenSSL script that embeds the fingerprint is that it fails silently. I learned that the hard way on Android too.

---

--with-fipsdir=Current linux-x86_64

This space is probably causing problems.

---

--with-fipsdir=...

I seem to recall the fips directory should include fips-2.0 somewhere. Its a little different than just openssldir.

---

--with-fipslibdir=Current/lib/Linux.2.6.16_x86-64_gcc-4.1.2/

Since you are using --with-fipsdir, I don't believe you need --with-fipslibdir.

---

Does the openssl binary have an libcrypto.so dependency or rpath set? I'm on a Mac now so I can't check what Linux does.