Skip to content

Instantly share code, notes, and snippets.

Last active Jul 14, 2016
What would you like to do?
Shell script to compile and install FIPS-validated Open SSL as well as Apache 2.4. Tested on Ubuntu 12.04. This script does not verify the fingerprint of the OpenSSL FIPS object module, and is therefore incomplete. It is a good place to start though.
echo "installing updates"
sudo apt-get update
echo "installing build-essential"
sudo apt-get install build-essential
echo "moving to home dir"
cd ~
echo "getting openssl source"
echo "getting fips object module source"
echo "unpacking fips object module"
tar -xzvf openssl-fips-2.0.5.tar.gz
echo "moving into fips source dir"
cd openssl-fips-2.0.5
echo "configuring"
echo "compiling"
echo "installing"
sudo make install
echo "moving back to home dir"
cd ~
echo "unpacking openssl source"
tar -xzvf openssl-1.0.1e.tar.gz
echo "moving into openssl source dir"
cd openssl-1.0.1e
echo "configuring with fips directive"
./config fips shared
echo "compiling"
echo "installing"
sudo make install
echo "moving old openssl binary to temporary /usr/bin/openssl_orig"
sudo mv /usr/bin/openssl /usr/bin/openssl_orig
echo "creating symlink to fips openssl in /usr/bin"
sudo ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
echo "done"
echo "Building apache dependencies"
sudo apt-get build-dep apache2
echo "Retrieving Apache2 source files"
echo "extracting Apache2 source"
tar -xzvf httpd-2.4.6.tar.gz
echo "entering httpd-2.4.6"
cd httpd-2.4.6
echo "adding shared library to ldconfig"
#for some reason, I can't write directly to /etc/
#so I will write to the current dir, then move the file
echo '/usr/local/ssl/lib/' > fips_openssl.conf
sudo mv fips_openssl.conf /etc/
sudo ldconfig
echo "configuring"
./configure \
--enable-so \
--enable-deflate \
--enable-expires \
--enable-headers \
--enable-rewrite \
--enable-ssl \
--with-ssl=/usr/local/ssl \
--enable-ssl-staticlib-deps \
echo "making"
echo "make install"
sudo make install
echo "installation complete"
echo ""
echo "starting apache"
sudo /usr/local/apache2/bin/apachectl start
echo ""
echo "verify that apache is running"
ps aux | grep apache
echo ""
echo "creating self-signed ssl certs"
cd /usr/local/apache2/conf
sudo openssl genrsa -out server.key
sudo openssl req -new -x509 -key server.key -out server.crt
echo "removing simlink to fips openssl"
sudo rm /usr/bin/openssl
echo "moving original openssl back"
sudo mv /usr/bin/openssl_orig /usr/bin/openssl
echo "done"
echo ""
echo "do not forget to uncomment the following lines in httpd.conf:"
echo ""
echo "LoadModule socache_shmcb_module modules/"
echo "Include conf/extra/httpd-ssl.conf"
echo ""
echo "do not forget to add SSLFIPS on in /usr/local/apache2/conf/extras/httpd-ssl.conf"

This comment has been minimized.

Copy link

@quietust quietust commented Jul 14, 2016

L25 - is "sudo" allowed here? The OpenSSL FIPS Security Policy states that you must run the command sets exactly as shown, and command set U2 explicitly includes "make install", not "sudo make install".

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment