OpenSSL 1.0.1e在FIPS模式下失败 [英] OpenSSL 1.0.1e failed in FIPS mode

问题描述

我正在使用FIPS编译OpenSSL.

I am compiling OpenSSL with FIPS.

当我尝试通过导出OPENSSL_FIPS = 1在FIPS模式下运行openssl二进制文件时，它给出了以下错误，

When I tried running openssl binary in FIPS mode by exporting OPENSSL_FIPS=1, it is giving below error,

47657709811344:error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match:fips.c:232:

我的平台是Linux Suse.

My platform is Linux Suse.

请帮助.

我正在使用以下命令进行构建

I am using below command to build

./Configure no-idea fips --prefix=build/Linux.2.6.16_x86-64_gcc-4.1.2/result  --with-fipslibdir=Current/lib/Linux.2.6.16_x86-64_gcc-4.1.2/ --with-fipsdir=Current linux-x86_64 --openssldir=/opt/VRTSssl shared no-zlib no-sse2 no-ec2m

make depend ; make ; make install

推荐答案

使依赖；制作 ;进行安装

make depend ; make ; make install

执行make all，而不仅仅是make.这里的问题之一是make install可以构建事物，而不仅仅是安装事物.它过去打破了其他平台，例如Android.我知道避免在安装过程中构建东西的一种方法是发出make all.

Do a make all rather than just make. One of the issues here is make install builds things rather than just installing things. Its broken other platforms in the past, such as Android. One way I know to avoid the building of things during install is to issue the make all.

关于嵌入指纹的OpenSSL脚本的另一个坏处是，它会静默失败.我也知道在Android上很难做到这一点.

Another bad thing about the OpenSSL script that embeds the fingerprint is that it fails silently. I learned that the hard way on Android too.

-with-fipsdir =当前linux-x86_64

--with-fipsdir=Current linux-x86_64

此空间可能会引起问题.

This space is probably causing problems.

-with-fipsdir = ...

--with-fipsdir=...

我似乎想起了fips目录应该包含fips-2.0的位置.与openssldir有点不同.

I seem to recall the fips directory should include fips-2.0 somewhere. Its a little different than just openssldir.

-with-fipslibdir =当前/lib/Linux.2.6.16_x86-64_gcc-4.1.2/

--with-fipslibdir=Current/lib/Linux.2.6.16_x86-64_gcc-4.1.2/

由于您使用的是--with-fipsdir，所以我认为您不需要--with-fipslibdir.

Since you are using --with-fipsdir, I don't believe you need --with-fipslibdir.

openssl二进制文件是否具有libcrypto.so依赖项或rpath设置?我现在在Mac上，因此无法查看Linux的功能.

Does the openssl binary have an libcrypto.so dependency or rpath set? I'm on a Mac now so I can't check what Linux does.

这篇关于OpenSSL 1.0.1e在FIPS模式下失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！