Building OpenSSL with FIPS (noec2m) mode on Ubuntu

Question

I'm attempting to follow the outline at from the OpenSSL Wiki to build a FIPS 140-2 compliant Ubuntu server and I'm stumbling at a reasonably early stage.

I've a new virtual Ubuntu 14.04.5 server with the default OpenSSH server running (so that I've got remote SSH to the system) and then downloaded the OpenSSL FIPS Object Model (openssl-fips-2.0.14.tar.gz) and OpenSSL (openssl-1.1.0e.tar.gz).

Compiling the FIPS side of things seems straight forward enough:

1. ./config
2. make
3. make install

However, when it comes to then compiling OpenSSL, I run into a problem

1. ./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl -Wl,--enable-new-dtags,-rpath,'$(LIBRPATH)' shared fips --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/

2. make

   crypto/err/err_all.c:35:27: fatal error: openssl/fips.h: No such file or directory
   # include <openssl/fips.h>
                         ^
   compilation terminated.
   make[1]: *** [crypto/err/err_all.o] Error 1
   make[1]: Leaving directory `/home/user/openssl-1.1.0e'
   make: *** [all] Error 2
   

From this SO post, the author states that he overcame this missing fips.h file by correctly setting an additional parameter to the ./config file, that being "--openssldir" but I've attempted to use both "/home/user/openssl-1.1.0e" as well as the existing "/usr/lib/ssl" (obtained using "openssl version -d") but all to no avail.

Performing a "find / -name fips.h" on my system only shows that file in a couple of places, all of which I've tried to use with the "--openssldir" parameter, but again with no luck...

1. /usr/src/linux-headers-4.4.0-31/include/linux/fips.h
2. /usr/local/ssl/fips-2.0/include/openssl/fips.h

Can anyone supply any insight as to what I'm doing wrong here?

Answer 1

Ok, so the big gotcha here is that I was using OpenSSL-1.1.0e and not an OpenSSL-1.0.x version. You have to use 1.0.x in order to use the FIPS model. Other than that, following the SO article linked to above worked for me