<div dir="ltr">Many thanks Mehmet. Compiling openssl with the "shared" option helped. That resulted in the stunnel build process generating an stunnel executable that dynamically linked to libcrypto.so. With this configuration, the FIPS fingerprint is embedded in the shared library itself and the FIPS self-verification step succeeds.<div>
<br></div><div>Without the "shared" option, stunnel was linking in libcrypto.a statically. With this configuration, fipsld is needed to embed the FIPS fingerprint into the stunnel executable at compile time. However, this does not appear to be currently supported by the stunnel build process.</div>
<div><br></div><div>The reason openssl (application) worked in my examples below is that the openssl build process does support FIPS in both configurations: as-is when dynamically linked, and with fipsld when statically linked.</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Jul 7, 2013 at 11:43 PM, mehmet ozisik <span dir="ltr"><<a href="mailto:mehmetzsk@gmail.com" target="_blank">mehmetzsk@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Hi,<div><br></div><div>I was having same error on x86. Then I have read this and followed the instructions written on this post, then it has worked successfully. Please have a look at this :</div>
<div>
<br></div><div><a href="http://www.mail-archive.com/openssl-users@openssl.org/msg68085.html" target="_blank">http://www.mail-archive.com/openssl-users@openssl.org/msg68085.html</a><br></div><div><br></div><div>Regards</div>
<div>Mehmet</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/7/8 Ondrej Hrebicek <span dir="ltr"><<a href="mailto:ondrej@gmail.com" target="_blank">ondrej@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div class="h5">
<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">Hello stunnel users,</span><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">
I'm trying to compile stunnel 4.56 with FIPS support on Ubuntu 12.04. Always end up with the infamous "fingerprint does not match" error. I can't figure out what I'm doing wrong.</div><div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px">1. Download�openssl-fips-2.0.2.tar.gz, unpack, ./config, make, and sudo make install (as specified in�<a href="http://www.openssl.org/docs/fips/UserGuide-2.0.pdf" target="_blank">http://www.openssl.org/docs/fips/UserGuide-2.0.pdf</a>)</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">2. Download�openssl-1.0.1e.tar.gz, unpack, ./config fips --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/ --with-fipsdir=/usr/local/ssl/fips-2.0/, make depend, make, and sudo make install</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">3. At this point, openssl is working in FIPS mode:</div><div style="font-family:arial,sans-serif;font-size:13px">
� � > OPENSSL_FIPS=1 /usr/local/ssl/bin/openssl version</div><div style="font-family:arial,sans-serif;font-size:13px">� ��OpenSSL 1.0.1e-fips 11 Feb 2013</div><div style="font-family:arial,sans-serif;font-size:13px"><br>
</div><div style="font-family:arial,sans-serif;font-size:13px">� � > OPENSSL_FIPS=1 /usr/local/ssl/bin/openssl sha1 c_rehash</div><div style="font-family:arial,sans-serif;font-size:13px">� ��SHA1(c_rehash)= 5af9e1479950bbbd9d3304c181b3f802c54f64fd</div>
<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">� � >�OPENSSL_FIPS=1 /usr/local/ssl/bin/openssl md5 c_rehash</div><div style="font-family:arial,sans-serif;font-size:13px">
� � Error setting digest md5</div><div style="font-family:arial,sans-serif;font-size:13px">� � 139806582736544:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:</div><div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px">4. Download�stunnel-4.56.tar.gz, unpack,�./configure --enable-fips --with-ssl=/usr/local/ssl, make, and sudo make install</div><div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px">5. While configuring and building stunnel completes as expected, the following does appear in ./configure's output:</div><div style="font-family:arial,sans-serif;font-size:13px">
<br></div><div style="font-family:arial,sans-serif;font-size:13px"><div>� � checking whether to enable FIPS mode support... yes</div><div>� ��configure: **************************************** SSL</div><div>� ��checking for SSL directory... /usr/local/ssl</div>
<div>� ��checking /usr/local/ssl/include/openssl/engine.h usability... yes</div><div>� ��checking /usr/local/ssl/include/openssl/engine.h presence... yes</div><div>� ��checking for /usr/local/ssl/include/openssl/engine.h... yes</div>
<div>� ��checking /usr/local/ssl/include/openssl/ocsp.h usability... yes</div><div>� ��checking /usr/local/ssl/include/openssl/ocsp.h presence... yes</div><div>� ��checking for /usr/local/ssl/include/openssl/ocsp.h... yes</div>
<div>� ��checking /usr/local/ssl/include/openssl/fips.h usability... no</div><div>� ��checking /usr/local/ssl/include/openssl/fips.h presence... no</div><div>� ��checking for /usr/local/ssl/include/openssl/fips.h... no</div>
<div>� ��configure: WARNING: OpenSSL fips header not found</div><div><br></div><div>This is not entirely unexpected as fips.h only exists in�/usr/local/ssl/fips-2.0/include/openssl.</div><div><br></div><div>6. Running stunnel however fails:</div>
<div><br></div><div>� � >�/usr/local/bin/stunnel</div><div>� � Clients allowed=500</div><div>� ��stunnel 4.56 on x86_64-unknown-linux-gnu platform</div><div>� ��Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013</div>
<div>� ��Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS</div><div>� ��Reading configuration from file /usr/local/etc/stunnel/stunnel.conf</div><div>� ��FIPS_mode_set: 2D06B06F: error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match</div>
<div>� ��Line 61: "[pop3s]": Failed to initialize SSL</div><div>� ��str_stats: 5 block(s), 120 data byte(s), 290 control byte(s)</div><div><br></div><div>I can't figure out what's causing this, hoping someone on the list may have a couple suggestions. Thanks in advance!</div>
</div></div>
<br></div></div>_______________________________________________<br>
stunnel-users mailing list<br>
<a href="mailto:stunnel-users@stunnel.org" target="_blank">stunnel-users@stunnel.org</a><br>
<a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a><br>
<br></blockquote></div><br></div>
</blockquote></div><br></div>