Skip to content

Instantly share code, notes, and snippets.

@dylancwood dylancwood/install_fips.sh
Last active Jul 14, 2016

Embed
What would you like to do?
Shell script to compile and install FIPS-validated Open SSL as well as Apache 2.4. Tested on Ubuntu 12.04. This script does not verify the fingerprint of the OpenSSL FIPS object module, and is therefore incomplete. It is a good place to start though.
#!/bin/bash
echo "installing updates"
sudo apt-get update
echo "installing build-essential"
sudo apt-get install build-essential
echo "moving to home dir"
cd ~
echo "getting openssl source"
wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz
echo "getting fips object module source"
wget http://www.openssl.org/source/openssl-fips-2.0.5.tar.gz
echo "unpacking fips object module"
tar -xzvf openssl-fips-2.0.5.tar.gz
echo "moving into fips source dir"
cd openssl-fips-2.0.5
echo "configuring"
./config
echo "compiling"
make
echo "installing"
sudo make install
echo "moving back to home dir"
cd ~
echo "unpacking openssl source"
tar -xzvf openssl-1.0.1e.tar.gz
echo "moving into openssl source dir"
cd openssl-1.0.1e
echo "configuring with fips directive"
./config fips shared
echo "compiling"
make
echo "installing"
sudo make install
echo "moving old openssl binary to temporary /usr/bin/openssl_orig"
sudo mv /usr/bin/openssl /usr/bin/openssl_orig
echo "creating symlink to fips openssl in /usr/bin"
sudo ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
echo "done"
echo "Building apache dependencies"
sudo apt-get build-dep apache2
echo "Retrieving Apache2 source files"
wget http://www.motorlogy.com/apache//httpd/httpd-2.4.6.tar.gz
echo "extracting Apache2 source"
tar -xzvf httpd-2.4.6.tar.gz
echo "entering httpd-2.4.6"
cd httpd-2.4.6
echo "adding shared library to ldconfig"
#for some reason, I can't write directly to /etc/ld.so.conf.d
#so I will write to the current dir, then move the file
echo '/usr/local/ssl/lib/' > fips_openssl.conf
sudo mv fips_openssl.conf /etc/ld.so.conf.d/.
sudo ldconfig
echo "configuring"
./configure \
--enable-so \
--enable-deflate \
--enable-expires \
--enable-headers \
--enable-rewrite \
--enable-ssl \
--with-ssl=/usr/local/ssl \
--enable-ssl-staticlib-deps \
--enable-mods-static=ssl
echo "making"
make
echo "make install"
sudo make install
echo "installation complete"
echo ""
echo "starting apache"
sudo /usr/local/apache2/bin/apachectl start
echo ""
echo "verify that apache is running"
ps aux | grep apache
echo ""
echo "creating self-signed ssl certs"
cd /usr/local/apache2/conf
sudo openssl genrsa -out server.key
sudo openssl req -new -x509 -key server.key -out server.crt
echo "removing simlink to fips openssl"
sudo rm /usr/bin/openssl
echo "moving original openssl back"
sudo mv /usr/bin/openssl_orig /usr/bin/openssl
echo "done"
echo ""
echo "do not forget to uncomment the following lines in httpd.conf:"
echo ""
echo "LoadModule socache_shmcb_module modules/mod_socache_shmcb.so"
echo "Include conf/extra/httpd-ssl.conf"
echo ""
echo "do not forget to add SSLFIPS on in /usr/local/apache2/conf/extras/httpd-ssl.conf"
@quietust

This comment has been minimized.

Copy link

quietust commented Jul 14, 2016

L25 - is "sudo" allowed here? The OpenSSL FIPS Security Policy states that you must run the command sets exactly as shown, and command set U2 explicitly includes "make install", not "sudo make install".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.