I am compiling stunnel on Centos 5 that has a regular Openssl 0.9.8b rpm installed.  I have put my FIPS openssl in /usr/local/sslfips112.

 

Configure with: ./configure --with-ssl=/usr/local/sslfips112 --enable-fips --disable-libwrap

 

Make’s linker line:

/bin/sh ../libtool --tag=CC --mode=link FIPSLD_CC=gcc /usr/local/sslfips112/bin/fipsld  -g -O2 -Wall -Wshadow -Wcast-align -Wpointer-arith -I/usr/local/sslfips112/include  -lldap -o stunnel   file.o client.o log.o options.o protocol.o network.o resolver.o ssl.o ctx.o verify.o sthreads.o stunnel.o auth.o pty.o libwrap.o  -lz -ldl -lutil -lnsl  -lpthread -L/usr/local/sslfips112/lib -lssl -lcrypto

FIPSLD_CC=gcc /usr/local/sslfips112/bin/fipsld -g -O2 -Wall -Wshadow -Wcast-align -Wpointer-arith -I/usr/local/sslfips112/include -o stunnel file.o client.o log.o options.o protocol.o network.o resolver.o ssl.o ctx.o verify.o sthreads.o stunnel.o auth.o pty.o libwrap.o  -lldap -lz -ldl -lutil -lnsl -lpthread -L/usr/local/sslfips112/lib -lssl –lcrypto

 

This builds a stunnel that seems to run fine.  During startup it says “stunnel is in FIPS mode.”  But if I run “ldd stunnel” it shows it needs /lib/libssl.so.6.  While stunnel is running lsof shows it has that library open also.  Why does my FIPS stunnel build still use the 0.9.8b shared library?  Shouldn’t all of the ssl dependencies been handled by the static FIPS openssl library during linking?  The same issue exists for libcrypt.