I have seen a few requests throughout the forums but no answers nor replies of success. I am attempting to compile a current version of OpenVPN against an OpenSSL-1.0.1h source that I compiled using the OpenSSL-fips-2.0.5 module. I created libssl.a and libcrypto.a and I have been trying, unsuccessfully, to compile the OpenVPN-2.3.4 calling these libraries. I am far from an expert in doing this so I was wondering if anyone else could help me with this? My lack of expertise in this is most likely the problem, but from my reading all I should have to do is reference the static libraries in the ./configure script and OpenVPN should use the FIPS module libraries. Any help would be welcome and appreciated.
Thanks,
Peter
OpenVPN FIPS 140-2 Compliant
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please report your experience with testing branch. Include what you were using and how
If there is a problem, the more info the better!
Please report your experience with testing branch. Include what you were using and how
If there is a problem, the more info the better!
-
PLBarton
- OpenVpn Newbie
- Posts: 12
- Joined: Fri Jun 01, 2012 4:05 pm
Re: OpenVPN FIPS 140-2 Compliant
After further reading and web searching I am trying some things and I would hope someone could verify that I am heading in the right direction and help with my error.
I have added a direct call to fips_mode_set() in the following file, openvpn.c, crypto.c and ssl.c
#ifdef OPENSSL_FIPS
if(options.no_fips <= 0)
{
if(!FIPS_mode_set(1))
{
ERR_load_crypto_strings();
ERR_print_errors_fp(stderr);
exit(1);
}
else
fprintf(stderr,"*** IN FIPS MODE ***\n");
}
#endif
I then ran ./configure OPENSSL_FIPS=1 as well as set an environment variable of OPENSSL_FIPS=1
Once the configure script finished I ran: make CC=fipsld FIPSLD_CC=gcc
the make ran for quite a while then errored out with the following:
/bin/bash ../../libtool --tag=CC --mode=link fipsld -g -O2 -o openvpn base64.o buffer.o clinat.o crypto.o crypto_openssl.o crypto_polarssl.o dhcp.o error.o event.o fdmisc.o forward.o fragment.o gremlin.o helper.o httpdigest.o lladdr.o init.o interval.o list.o lzo.o manage.o mbuf.o misc.o platform.o console.o mroute.o mss.o mstats.o mtcp.o mtu.o mudp.o multi.o ntlm.o occ.o pkcs11.o pkcs11_openssl.o pkcs11_polarssl.o openvpn.o options.o otime.o packet_id.o perf.o pf.o ping.o plugin.o pool.o proto.o proxy.o ps.o push.o reliable.o route.o schedule.o session_id.o shaper.o sig.o socket.o socks.o ssl.o ssl_openssl.o ssl_polarssl.o ssl_verify.o ssl_verify_openssl.o ssl_verify_polarssl.o status.o tun.o win32.o cryptoapi.o ../../src/compat/libcompat.la -lnsl -lresolv -llzo2 -lssl -lcrypto -ldl
libtool: link: fipsld -g -O2 -o openvpn base64.o buffer.o clinat.o crypto.o crypto_openssl.o crypto_polarssl.o dhcp.o error.o event.o fdmisc.o forward.o fragment.o gremlin.o helper.o httpdigest.o lladdr.o init.o interval.o list.o lzo.o manage.o mbuf.o misc.o platform.o console.o mroute.o mss.o mstats.o mtcp.o mtu.o mudp.o multi.o ntlm.o occ.o pkcs11.o pkcs11_openssl.o pkcs11_polarssl.o openvpn.o options.o otime.o packet_id.o perf.o pf.o ping.o plugin.o pool.o proto.o proxy.o ps.o push.o reliable.o route.o schedule.o session_id.o shaper.o sig.o socket.o socks.o ssl.o ssl_openssl.o ssl_polarssl.o ssl_verify.o ssl_verify_openssl.o ssl_verify_polarssl.o status.o tun.o win32.o cryptoapi.o ../../src/compat/.libs/libcompat.a -lnsl -lresolv -llzo2 -lssl -lcrypto -ldl
diff: .sha1: No such file or directory
No such file or directory
fingerprint mismatch
make[3]: *** [openvpn] Error 1
make[3]: Leaving directory `/usr/local/src/openvpn-2.3.2/src/openvpn'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/usr/local/src/openvpn-2.3.2/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/local/src/openvpn-2.3.2'
make: *** [all] Error 2
I hope this is not overly verbose, but I believe it is all relevant. If someone can help me out with the error and let me know if I am on the correct path I would really appreciate it.
Thank you,
Peter
I have added a direct call to fips_mode_set() in the following file, openvpn.c, crypto.c and ssl.c
#ifdef OPENSSL_FIPS
if(options.no_fips <= 0)
{
if(!FIPS_mode_set(1))
{
ERR_load_crypto_strings();
ERR_print_errors_fp(stderr);
exit(1);
}
else
fprintf(stderr,"*** IN FIPS MODE ***\n");
}
#endif
I then ran ./configure OPENSSL_FIPS=1 as well as set an environment variable of OPENSSL_FIPS=1
Once the configure script finished I ran: make CC=fipsld FIPSLD_CC=gcc
the make ran for quite a while then errored out with the following:
/bin/bash ../../libtool --tag=CC --mode=link fipsld -g -O2 -o openvpn base64.o buffer.o clinat.o crypto.o crypto_openssl.o crypto_polarssl.o dhcp.o error.o event.o fdmisc.o forward.o fragment.o gremlin.o helper.o httpdigest.o lladdr.o init.o interval.o list.o lzo.o manage.o mbuf.o misc.o platform.o console.o mroute.o mss.o mstats.o mtcp.o mtu.o mudp.o multi.o ntlm.o occ.o pkcs11.o pkcs11_openssl.o pkcs11_polarssl.o openvpn.o options.o otime.o packet_id.o perf.o pf.o ping.o plugin.o pool.o proto.o proxy.o ps.o push.o reliable.o route.o schedule.o session_id.o shaper.o sig.o socket.o socks.o ssl.o ssl_openssl.o ssl_polarssl.o ssl_verify.o ssl_verify_openssl.o ssl_verify_polarssl.o status.o tun.o win32.o cryptoapi.o ../../src/compat/libcompat.la -lnsl -lresolv -llzo2 -lssl -lcrypto -ldl
libtool: link: fipsld -g -O2 -o openvpn base64.o buffer.o clinat.o crypto.o crypto_openssl.o crypto_polarssl.o dhcp.o error.o event.o fdmisc.o forward.o fragment.o gremlin.o helper.o httpdigest.o lladdr.o init.o interval.o list.o lzo.o manage.o mbuf.o misc.o platform.o console.o mroute.o mss.o mstats.o mtcp.o mtu.o mudp.o multi.o ntlm.o occ.o pkcs11.o pkcs11_openssl.o pkcs11_polarssl.o openvpn.o options.o otime.o packet_id.o perf.o pf.o ping.o plugin.o pool.o proto.o proxy.o ps.o push.o reliable.o route.o schedule.o session_id.o shaper.o sig.o socket.o socks.o ssl.o ssl_openssl.o ssl_polarssl.o ssl_verify.o ssl_verify_openssl.o ssl_verify_polarssl.o status.o tun.o win32.o cryptoapi.o ../../src/compat/.libs/libcompat.a -lnsl -lresolv -llzo2 -lssl -lcrypto -ldl
diff: .sha1: No such file or directory
No such file or directory
fingerprint mismatch
make[3]: *** [openvpn] Error 1
make[3]: Leaving directory `/usr/local/src/openvpn-2.3.2/src/openvpn'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/usr/local/src/openvpn-2.3.2/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/usr/local/src/openvpn-2.3.2'
make: *** [all] Error 2
I hope this is not overly verbose, but I believe it is all relevant. If someone can help me out with the error and let me know if I am on the correct path I would really appreciate it.
Thank you,
Peter
-
gouchet01
- OpenVpn Newbie
- Posts: 2
- Joined: Thu Dec 11, 2014 3:48 am
Re: OpenVPN FIPS 140-2 Compliant
Hello Peter,
It is a little to answer, but maybe it will help you (?).
It seems like the problem is that is does not find SHA1, because OpenVPN is using MD5.
The way that worked for me:
Install the FIPS Object Module from OpenSSL
Install OpenSSL with ./config fips --with-fipsdir=<path> (as you did I believe)
Apply the openvpn-fips patch from here: https://build.opensuse.org/package/show ... pn/openvpn to your openvpn folder
Add the code FIPS_mode_set(1) as you did and just compile and install.
It works for me! =)
Best,
Quentin
It is a little to answer, but maybe it will help you (?).
It seems like the problem is that is does not find SHA1, because OpenVPN is using MD5.
The way that worked for me:
Install the FIPS Object Module from OpenSSL
Install OpenSSL with ./config fips --with-fipsdir=<path> (as you did I believe)
Apply the openvpn-fips patch from here: https://build.opensuse.org/package/show ... pn/openvpn to your openvpn folder
Add the code FIPS_mode_set(1) as you did and just compile and install.
It works for me! =)
Best,
Quentin