CODEWITHSUNDEEP
openssl
Sudhir
Sudhir

Reputation: 11

How to build openssl static libs libssl.a & libcrypto.a

I want to build static libraries of openssl which is compatible with glibc 2.17. I want to do this on centos7 with gcc 4.8.5 20150623.

My questions:

Right now when I use ./config -shared & make, it is only creating libcrypto.a & not libssl.a

Upvotes: 1

Views: 2827

Answers (1)

dave_thompson_085
dave_thompson_085

Reputation: 39010

FIPS 140-2 'compliance' isn't really relevant to OpenSSL. As general-purpose software, OpenSSL doesn't and can't implement the upper levels of 140-2 (I haven't worked through -3 yet, lazy me, but it doesn't apply to OpenSSL yet, and may never), and it implements both Approved and non-Approved algorithms in all builds regardless of FIPS.

FIPS 140-2 validation (and certification) is a different matter. To achieve validation, OpenSSL was effectively split into an internal core called the 'FIPS Container' which implements the required primitives and could be validated, and the remainder of 'full' OpenSSL which includes other algorithms and things like certificates, messages, files, protocols, etc. that are not covered by FIPS 140. Thus to use this you must (in order):

  • (download and) separately build the FIPS Container, following the Security Policy (and User Guide) specifications available at https://www.openssl.org/docs/fips.html (the former also registered and archived at CMVP)

  • (download and) build a 'FIPS-capable' version of OpenSSL that is compatible with and referencing the FIPS Container; at present for FIPS Container 2.0 this is OpenSSL version 1.0.1 or 1.0.2

  • use the FIPS-capable OpenSSL in your program(s), either in FIPS mode or not as you select; only operating in FIPS mode meets the requirements for US government systems

Note that the list of tested (and validated) configurations in the Security Policy doesn't include CentOS, so unless you can establish equivalence your result won't actually count as validated anyway.

Upvotes: 1

Related Questions