openssl-1.0.0o: undefined symbol: FIPS_mode

Question

I am trying to use openssl-1.0.0o (I need to use 1.0.0 line, with fix to openssl POODLE attack: https://www.openssl.org/~bodo/ssl-poodle.pdf, https://www.openssl.org/news/secadv_20141015.txt).

I have built openssl-1.0.0o RPMs but after installing it I am experiencing the following issue when trying to use ssh/scp from this host:

ssh: symbol lookup error: ssh: undefined symbol: FIPS_mode

Have I missed something? I do not see such issue with openssl-1.0.0j.

Answer 1

I am trying to use openssl-1.0.0o ...
...
ssh: symbol lookup error: ssh: undefined symbol: FIPS_mode

OpenSSL 1.0.0's cryptography was never FIPS validated, so that version of the library is not FIPS capable (the second follows from the first). You need to move OpenSSL 1.0.1, or you need to engage the OpenSSL Foundation to get a private label validation for 1.0.0.

Or, you could "fake it" by providing the missing exports if you don't need FIPS validation. That will include FIPS_mode_set, FIPS_mode and friends. You can get a partial list of the potential FIPS_* functions in Appendix I - API Entry Points by Source File from the OpenSSL User Guide 2.0 for the FIPS Object Module.

Related: OpenSSL 1.0.0-fips 29 Mar 2010 on the OpenSSL mailing list.

---

Have I missed something? I do not see such issue with openssl-1.0.0j.

Hmmm... I thought Red Hat used NSS for its validated cryptography. There's no telling what Red Hat is doing.

And are you sure that not openssl-1.0.1j? According to ftp.openssl.org/source/, there is no openssl-1.0.0j