0
votes

I need to run apache in fips 140-2 mode and I am following the instructions given here: https://wiki.openssl.org/index.php/FIPS_Library_and_Apache

However I am using a newer version of apache, I have these packages instead of the ones listed in the wiki:

  • openssl-fips-2.0.16.tar.gz
  • openssl-1.0.2n.tar.gz
  • httpd-2.4.29.tar.gz
  • apr-util-1.6.1.tar.gz
  • apr-1.6.3.tar.gz
  • pcre-8.41.tar.gz

Everything works fine until I attempt a make on the httpd package and it then fails. If I run a make without the two exports for the fingerprints, it completes without issue:

  • export CC=/usr/local/ssl/fips-2.0/bin/fipsld
  • export FIPSLD_CC=/usr/bin/gcc

However as the wiki describes when you enable SSLFIPS in httpd.conf it will fail to start with the fingerprint issue without these variables set. But when I attempt to run a make with these exports I get the following error:

  /root/httpd-2.4.29/srclib/apr/libtool --silent --mode=link /usr/local/ssl/fips-2.0/bin/fipsld  -g -O2 -pthread   -L/usr/local/ssl/lib -lssl -lcrypto -luuid -lrt -lcrypt -lpthread -ldl  \
         -o ab  ab.lo       /root/httpd-2.4.29/srclib/apr-util/libaprutil-1.la -lexpat /root/httpd-2.4.29/srclib/apr/libapr-1.la -luuid -lrt -lcrypt -lpthread -ldl -lm
./.libs/ab: error while loading shared libraries: libaprutil-1.so.0: cannot open shared object file: No such file or directory
Makefile:73: recipe for target 'ab' failed
make[2]: *** [ab] Error 127
make[2]: Leaving directory '/root/httpd-2.4.29/support'
/root/httpd-2.4.29/build/rules.mk:75: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/root/httpd-2.4.29/support'
/root/httpd-2.4.29/build/rules.mk:75: recipe for target 'all-recursive' failed
make: *** [all-recursive] Error 1

I'm no expert in compiling apache, so no idea why it fails when using those exported variables. Can anyone help?

1
FYI, I tried using all of the older version of httpd, apr, fips, openssl, apr-util and pcre that are listed on the wiki, and in that case everything compiles fine. So this is starting to look like a bug in the newer versions, unless I'm missing something elseDAC

1 Answers

0
votes

After a lot of testing, the instructions seem to be working for the older versions, but for the newer version of apr and httpd the "--with-included-apr" appeared to be the problem.

Instead of using this, we built apr and apr-util first by its self, then ran the .config with "“-with-apr=/usr/local/apr/ -with-apr-util=/usr/local/apr-util/" instead. This allowed it to compile and I was able to set SSLFIPS on without issue.