gerald_clark wrote:
Why in the world would you recommend that?
Only the CentOS openssl should be installed.
Most of the problems being reported are due to foreign openssl package conflicts.
Sorry, but I have a fair amount of knowledge with OpenSSL and my packages have several patches and optimizations not present into CentOS rpm's, some of them being part of RHEL7/Fedora21:
https://www.axivo.com/resources/openssl-setup.2/
As a side note, we don't build FIPS, is also noted by CentOS developers that should be used only for debug purposes. OpenSSL developers stated clearly that "OpenSSL FIPS itself is not validated, and never will be." Beside that, if you change a single character into FIPS code (which CentOS patches do), nothing validates, therefore the note to use it for debug purposes.
http://www.openssl.org/docs/fips/fipsnotes.html
My compile options (note the build date):
Code: Select all
# openssl version -a
OpenSSL 1.0.1g 7 Apr 2014
built on: Mon Apr 7 15:55:48 EDT 2014
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O3 -g -m64 -mtune=nocona -m128bit-long-double -mmmx -msse3 -mfpmath=sse -Wa,--noexecstack -fomit-frame-pointer -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: rsax rdrand dynamic