Reputation: 251
Cannot compile apache with fips
I need to run apache in fips 140-2 mode and I am following the instructions given here: https://wiki.openssl.org/index.php/FIPS_Library_and_Apache
However I am using a newer version of apache, I have these packages instead of the ones listed in the wiki:
- openssl-fips-2.0.16.tar.gz
- openssl-1.0.2n.tar.gz
- httpd-2.4.29.tar.gz
- apr-util-1.6.1.tar.gz
- apr-1.6.3.tar.gz
- pcre-8.41.tar.gz
Everything works fine until I attempt a make on the httpd package and it then fails. If I run a make without the two exports for the fingerprints, it completes without issue:
- export CC=/usr/local/ssl/fips-2.0/bin/fipsld
- export FIPSLD_CC=/usr/bin/gcc
However as the wiki describes when you enable SSLFIPS in httpd.conf it will fail to start with the fingerprint issue without these variables set. But when I attempt to run a make with these exports I get the following error:
/root/httpd-2.4.29/srclib/apr/libtool --silent --mode=link /usr/local/ssl/fips-2.0/bin/fipsld -g -O2 -pthread -L/usr/local/ssl/lib -lssl -lcrypto -luuid -lrt -lcrypt -lpthread -ldl \
-o ab ab.lo /root/httpd-2.4.29/srclib/apr-util/libaprutil-1.la -lexpat /root/httpd-2.4.29/srclib/apr/libapr-1.la -luuid -lrt -lcrypt -lpthread -ldl -lm
./.libs/ab: error while loading shared libraries: libaprutil-1.so.0: cannot open shared object file: No such file or directory
Makefile:73: recipe for target 'ab' failed
make[2]: *** [ab] Error 127
make[2]: Leaving directory '/root/httpd-2.4.29/support'
/root/httpd-2.4.29/build/rules.mk:75: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/root/httpd-2.4.29/support'
/root/httpd-2.4.29/build/rules.mk:75: recipe for target 'all-recursive' failed
make: *** [all-recursive] Error 1
I'm no expert in compiling apache, so no idea why it fails when using those exported variables. Can anyone help?
Upvotes: 0
Views: 683
Answers (1)
Reputation: 251
After a lot of testing, the instructions seem to be working for the older versions, but for the newer version of apr and httpd the "--with-included-apr" appeared to be the problem.
Instead of using this, we built apr and apr-util first by its self, then ran the .config with "“-with-apr=/usr/local/apr/ -with-apr-util=/usr/local/apr-util/" instead. This allowed it to compile and I was able to set SSLFIPS on without issue.
Upvotes: 0
Related Questions
- RHEL8: FIPS Object Module (fipscanister) existing?
- FIPS_mode_set() code not found in openssl package
- Apache httpd compile (make) error. How to fix it?
- How do I compile fips capable openssl on Windows x64?
- FIPS Capable OpenSSL and openssl/fips.h: No such file or directory
- Error: implicit declaration of function 'FIPS_crypto_set_id_callback'
- Building OpenSSL with FIPS on Mac OSX 10.11
- FIPS Capable OpenSSL and `make depend`
- openssl-1.0.0o: undefined symbol: FIPS_mode
- OpenSSL 1.0.1e failed in FIPS mode