Last active
January 4, 2024 16:00
-
-
Save schwabe/9c3c74b7a14166440b5a6e6dd4e59ca3 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| = Build OpenVPN and OpenSSL with FIPS = | |
| Checkout OpenSSL | |
| git clone https://github.com/openssl/openssl -b openssl-3.2 openssl32-fips | |
| Compile OpenSSL | |
| ./Configure --prefix=${HOME}/oss/openssl32-fips/dist --libdir=${HOME}/oss/openssl32-fips/dist/ --openssldir=${HOME}/oss/openssl32-fips/dist fips -g | |
| make install | |
| Do fipsinstall | |
| cd ${HOME}/oss/openssl32-fips/dist | |
| ./dist/bin/openssl fipsinstall -out dist/fipsmodule.cnf -module dist/ossl-modules/fips.dylib | |
| Edit ${HOME}/oss/openssl32-fips/dist/openssl.cnf | |
| Start of file (see also https://www.openssl.org/docs/man3.2/man7/OSSL_PROVIDER-FIPS.html) | |
| config_diagnostics = 1 | |
| openssl_conf = openssl_init | |
| [algorithm_sect] | |
| default_properties = fips=yes | |
| .include /Users/arne/oss/openssl32-fips/dist/fipsmodule.cnf | |
| [openssl_init] | |
| providers = provider_sect | |
| alg_section = algorithm_sect | |
| [base_sect] | |
| activate = 1 | |
| [provider_sect] | |
| fips = fips_sect | |
| base = base_sect | |
| # | |
| # OpenSSL example configuration file. | |
| # See doc/man5/config.pod for more info. | |
| [rest of default config] | |
| Build OpenVPN. I had no luck with autoconf. The autoconf build would still link against default openssl on macOS for me | |
| mkdir openvpn-fips | |
| cd openvpn-fips | |
| cmake -DOPENSSL_ROOT_DIR=${HOME}/oss/openssl32-fips/dist ~/oss/openvpn-git -DUNSUPPORTED_BUILDS=yes | |
| make | |
| OpenVPN used the config from the dist directory automtically for me but it can also be forced via: | |
| OPENSSLCONF=/Users/arne/oss/openssl32-fips/dist/openssl.cnf ./openvpn | |
| FreeBSD: | |
| sudo openssl fipsinstall -out /etc/ssl/fipsmodule.cnf -module /usr/lib/ossl-modules/fips.so | |
| Config file /etc/ssl/openssl-fips.cnf: | |
| config_diagnostics = 1 | |
| openssl_conf = openssl_init | |
| [algorithm_sect] | |
| default_properties = fips=yes | |
| .include /etc/ssl/fipsmodule.cnf | |
| [base_sect] | |
| activate = 1 | |
| [provider_sect] | |
| fips = fips_sect | |
| base = base_sect | |
| [openssl_init] | |
| providers = provider_sect | |
| alg_section = algorithm_sect | |
| .include /etc/ssl/openssl.cnf | |
| Running OpenVPN like this: | |
| OPENSSL_CONF=/etc/ssl/openssl-fips.cnf ./openvpn --show-ciphers | |
| should only show AES ciphers. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment