<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'><span style="color: rgb(68, 68, 68); font-size: 15.199999809265137px; line-height: 21.299999237060547px; background-color: rgb(255, 255, 255);">I have already requested the CD of software from OpenSSL -- that section does not really assist with the build functions. </span><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);"><br></div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);">The FIPSDIR= option still did not allow Stunnel to autodiscover FIPS.h -- this is my openssl1.0.1h configure command </div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);"><br></div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);">openssl-fips-2.0.7 </div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);">./config ; make ; make install</div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);"><br></div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);">openssl-1.0.1h</div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);">./config fips --openssldir=/usr/local/openssl-100 --with-fipslibdir=/usr/local/ssl/fips-2.0/lib --with-fipsdir=/usr/local/ssl/fips-2.0/ ; make depend ; make ; make test ; make install</div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);"><br></div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);">Stunnel5.02</div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);"><br></div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);"><br></div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);">I am not installling the newer copy of openssl to the rest of the system, just as libraries accessible to Stunnel for building with a version that is different than the OS installed openssl so as not to risk breaking ssh or OS Upgrade capabilities </div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);"><br></div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);">./configure --with-ssl=/usr/local/openssl-100 --disable-libwrap ; make ; make install<br><br><br>During the Make phase it just says it cannot find fips.h but it says fips enabled -- but when I tell it to use FIPS I get </div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);"><br></div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);"><div>checking whether to enable FIPS mode support... yes</div><div>configure: **************************************** SSL</div><div>checking for SSL directory... /usr/local/openssl-100</div><div>checking /usr/local/openssl-100/include/openssl/engine.h usability... yes</div><div>checking /usr/local/openssl-100/include/openssl/engine.h presence... yes</div><div>checking for /usr/local/openssl-100/include/openssl/engine.h... yes</div><div>checking /usr/local/openssl-100/include/openssl/ocsp.h usability... yes</div><div>checking /usr/local/openssl-100/include/openssl/ocsp.h presence... yes</div><div>checking for /usr/local/openssl-100/include/openssl/ocsp.h... yes</div><div>checking /usr/local/openssl-100/include/openssl/fips.h usability... no</div><div>checking /usr/local/openssl-100/include/openssl/fips.h presence... no</div><div>checking for /usr/local/openssl-100/include/openssl/fips.h... no</div><div>configure: WARNING: OpenSSL fips header not found</div><div>configure: **************************************** write the results</div><div>configure: creating ./config.status</div></div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);"><br></div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);">Restarting Stunnel with fips=yes gives me this </div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);"><br></div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);"><div>[!] FIPS_mode_set: F06D065: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported</div><div>[!] Line 35: "[webapp]": Failed to initialize SSL</div></div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);"><br></div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);"><br></div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);">The TODO file in Stunnel5.02 tarball has this </div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);"><br></div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);">* Support static FIPS-enabled build.</div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);"><br></div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);">Does this mean that it can only currently support a system that is fully fips enabled and not my static libraries that I use for building Stunnel? Thats what I get out of this.</div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);"><br></div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);">And upon further reading of the INSTALL.FIPS file I confirm this </div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);"><br></div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);"><div>Unix HOWTO:</div><div>* Only dynamic linking of the FIPS-enabled OpenSSL is currently supported,</div><div> i.e. FIPS-enabled OpenSSL has to be configured with "shared" parameter.</div><div><br></div></div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);">I cannot install it with dynamic libraries as I am required to build via the actual instructions for FIPS 140-2 compliance which implicitly states I cannot call out shared as part of the config options.</div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);"><br></div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);"><br></div><div style="line-height: 21.299999237060547px; color: rgb(68, 68, 68); font-size: 15.199999809265137px; background-color: rgb(255, 255, 255);">Mike Curran</div><br><div><hr id="stopSpelling">From: mike_curran@hotmail.com<br>To: nobody@dizum.com<br>Subject: RE: FIPS compliant Stunnel build<br>Date: Wed, 23 Jul 2014 17:34:08 -0500<br><br>
<style><!--
.ExternalClass .ecxhmmessage P {
padding:0px;
}
.ExternalClass body.ecxhmmessage {
font-size:12pt;
font-family:Calibri;
}
--></style>
<div dir="ltr">I have already requested the CD of software from OpenSSL -- that section does not really assist with the build functions. <div><br></div><div>The FIPSDIR= option still did not allow Stunnel to autodiscover FIPS.h -- this is my openssl1.0.1h configure command </div><div><br></div><div>openssl-fips-2.0.7 </div><div>./config ; make ; make install</div><div><br></div><div>openssl-1.0.1h</div><div>./config fips --openssldir=/usr/local/openssl-100 --with-fipslibdir=/usr/local/ssl/fips-2.0/lib --with-fipsdir=/usr/local/ssl/fips-2.0/ ; make depend ; make ; make test ; make install</div><div><br></div><div>Stunnel5.02</div><div><br></div><div><br></div><div>I am not installling the newer copy of openssl to the rest of the system, just as libraries accessible to Stunnel for building with a version that is different than the OS installed openssl so as not to risk breaking ssh or OS Upgrade capabilities </div><div><br></div><div>./configure --with-ssl=/usr/local/openssl-100 --disable-libwrap ; make ; make install<br><br><br>During the Make phase it just says it cannot find fips.h but it says fips enabled -- but when I tell it to use FIPS I get </div><div><br></div><div><div>checking whether to enable FIPS mode support... yes</div><div>configure: **************************************** SSL</div><div>checking for SSL directory... /usr/local/openssl-100</div><div>checking /usr/local/openssl-100/include/openssl/engine.h usability... yes</div><div>checking /usr/local/openssl-100/include/openssl/engine.h presence... yes</div><div>checking for /usr/local/openssl-100/include/openssl/engine.h... yes</div><div>checking /usr/local/openssl-100/include/openssl/ocsp.h usability... yes</div><div>checking /usr/local/openssl-100/include/openssl/ocsp.h presence... yes</div><div>checking for /usr/local/openssl-100/include/openssl/ocsp.h... yes</div><div>checking /usr/local/openssl-100/include/openssl/fips.h usability... no</div><div>checking /usr/local/openssl-100/include/openssl/fips.h presence... no</div><div>checking for /usr/local/openssl-100/include/openssl/fips.h... no</div><div>configure: WARNING: OpenSSL fips header not found</div><div>configure: **************************************** write the results</div><div>configure: creating ./config.status</div></div><div><br></div><div>Restarting Stunnel with fips=yes gives me this </div><div><br></div><div><div>[!] FIPS_mode_set: F06D065: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported</div><div>[!] Line 35: "[webapp]": Failed to initialize SSL</div></div><div><br></div><div><br></div><div>The TODO file in Stunnel5.02 tarball has this </div><div><br></div><div><div>* Support static FIPS-enabled build.</div></div><div><br></div><div>Does this mean that it can only currently support a system that is fully fips enabled and not my static libraries that I use for building Stunnel? Thats what I get out of this.</div><div><br></div><div>Mike Curran<br><br><div>> From: nobody@dizum.com<br>> To: mike_curran@hotmail.com<br>> Subject: Re: FIPS compliant Stunnel build<br>> Date: Thu, 24 Jul 2014 00:00:37 +0200<br>> <br>> it IS possible...<br>> <br>> use FIPSDIR environment variable -- <br>> NOT any change to FIPS Object Module ./config command<br>> <br>> BUT most important see:<br>> <br>> 6.6 The "Secure Installation" Issue<br>> <br>> of<br>> <br>> User Guide for the OpenSSL FIPS Object Module v2.0<br>> (including v2.0.1, v2.0.2, v2.0.3, v2.0.4, v2.0.5, v2.0.6, v2.0.7)<br>> <br></div></div> </div></div> </div></body>
</html>