Hello,
I am having difficulting when running stunnel in FIPS mode and using a
SIGHUP to get stunnel to re-read it's configuration file (for instance if
I've changed a port # or IP address for one of the connections). This
causes stunnel to call the SSL routine FIPS_mode_set() a second time after
receiving the SIGHUP, which in turn attempts to reinitialize SSL.
Unfortunately, OpenSSL does not support calling FIPS_mode_set(1) more than
once. The initialization of SSL becomes incomplete as a result of the 2nd
call and subsequent attempts to use stunnel to establish encrypted
connections fail.
Does anyone have any suggestions on how I can make this work (besides
killing and restarting stunnel)?
If not, I have a proposed fix (and there are multiple ways that this could
be addressed). Anyway, my suggestion is to add the following two lines to
the ssl_configure() function (found in the file "ssl.c"), right before the
current FIPS_mode_set() routine is called:
FIPS_mode_set(0);
RAND_set_rand_method(NULL);
The function currently looks like:
int ssl_configure(void) { /* configure global SSL settings */
#ifdef USE_FIPS
if(!FIPS_mode_set(global_options.option.fips)) {
ERR_load_crypto_strings();
sslerror("FIPS_mode_set");
return 0;
}
s_log(LOG_NOTICE, "FIPS mode %s",
global_options.option.fips ? "enabled" : "disabled");
#endif /* USE_FIPS */
:
:
}
With the suggested fix, it would look as follows:
int ssl_configure(void) { /* configure global SSL settings */
#ifdef USE_FIPS
FIPS_mode_set(0);
RAND_set_rand_method(NULL);
if(!FIPS_mode_set(global_options.option.fips)) {
ERR_load_crypto_strings();
sslerror("FIPS_mode_set");
return 0;
}
s_log(LOG_NOTICE, "FIPS mode %s",
global_options.option.fips ? "enabled" : "disabled");
#endif /* USE_FIPS */
:
:
}
Does the above seem reasonable. Could this change, or some other
modification which would support using SIGHUP with FIPS, be considered for a
future stunnel update?
Thanks for your help.