On Wed, Mar 25, 2015 at 10:15 AM, Michal Trojnara Michal.Trojnara@mirt.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 24.03.2015 18:08, Rob Lockhart wrote:
That compiled version doesn't seem to be built with FIPS canister, as the log shows: "Compiled/running with OpenSSL 1.0.2a 19 Mar 2015" without a "-fips" appendage after the OpenSSL version. In other words, if it was built as FIPS-compliant, it would show: "Compiled/running with OpenSSL 1.0.2a-fips 19 Mar 2015"
"-fips" would indeed have been reported if I had included OpenSSL headers in a specific order. Namely, #include <openssl/opensslconf.h> needs to be before: #include <openssl/opensslv.h> . I will correct this issue in the next release of stunnel.
It may support the FIPS options (in the config file) but it's not FIPS-compliant.
Yes, it is. It just does not report it properly.
Specifically, FIPS-compliant does NOT imply that FIPS mode cannot be enabled. Am I understanding this correctly?
"fips = yes" option only works when OpenSSL is built with FIPS canister. It is "compliant" when built according to the FIPS Security Policy: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf , where building with FIPS canister is the most basic requirement.
Thank you very much for reporting this issue!
Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBAgAGBQJVEsMJAAoJEC78f/DUFuAUurMP/0x22iuBxq7ch5LJlEb/nMXo Fq357toWkGcXNF11o6arEXsCemmAE+muOwJ9WtIsYE+1a8pU6VAPMZA+msralQ1F xjnYDEarBlmgmUEA+knvmvaVPBSiyQDl5pMptcKDZ1jErui2IsafrZRgd0IUhb/f o+5wBh/oT2z5GaOAGKGMIswf03W9KUE5xv3IWdCQO4Usli/vK7jx6rd2tDde54j6 Vgh8uImNOxtycZLjMxhMiPwlFXG8XDXHZXkxFTwzVJdB+UTMgwZCDHayQEyunqsh V2x4qL7EbWMrMZwzmRfu9HdaEZVMLm22HMgy1QjuISCZsmaq2wvCqM3IhAJYjvIL uSxMuXE8bj4Hbr9naaPnDzWN0SdHHt80w4mVy//tIgimNB7nC5+hkZ4FyXCMusLD WavLaM8SbARrwyq60F7VtkQFgInB2ucXltF8VDoNHKzDUMSG7ZHUY0cxst78xCT1 GFnLjrCnVBWOtlo/62dNj/uHd1Rkf55p1lDzOOQdaOqMpO5w070ATbIEq5GRARu3 MX9Ulo0JZEp/D3Y7ZlWkEzfSrmRzyl3VKvS9WEV809pAm1SF0Kr0tWduLWXfJbU/ o+VwSR4/dHp9vNxrcrkz7gqBfl3nx6DO1iy8ZoZNpHh2jKcEYk78VqSL11eHNfgX iIaYh7Wia+6yWwX6DtVs =CnaE -----END PGP SIGNATURE-----
Thanks for your follow-up; I assumed that it was a cosmetic error and not a build issue too after seeing that "openssl.exe" was included in the install directory. Running "openssl.exe version" in a CMD prompt showed the "-fips" appendage. Thanks for fixing stunnel!
-Rob