I have already requested the CD of software from OpenSSL -- that section does not really assist with the build functions. The FIPSDIR= option still did not allow Stunnel to autodiscover FIPS.h -- this is my openssl1.0.1h configure command openssl-fips-2.0.7 ./config ; make ; make install openssl-1.0.1h./config fips --openssldir=/usr/local/openssl-100 --with-fipslibdir=/usr/local/ssl/fips-2.0/lib --with-fipsdir=/usr/local/ssl/fips-2.0/ ; make depend ; make ; make test ; make install Stunnel5.02
I am not installling the newer copy of openssl to the rest of the system, just as libraries accessible to Stunnel for building with a version that is different than the OS installed openssl so as not to risk breaking ssh or OS Upgrade capabilities ./configure --with-ssl=/usr/local/openssl-100 --disable-libwrap ; make ; make install
During the Make phase it just says it cannot find fips.h but it says fips enabled -- but when I tell it to use FIPS I get checking whether to enable FIPS mode support... yesconfigure: **************************************** SSLchecking for SSL directory... /usr/local/openssl-100checking /usr/local/openssl-100/include/openssl/engine.h usability... yeschecking /usr/local/openssl-100/include/openssl/engine.h presence... yeschecking for /usr/local/openssl-100/include/openssl/engine.h... yeschecking /usr/local/openssl-100/include/openssl/ocsp.h usability... yeschecking /usr/local/openssl-100/include/openssl/ocsp.h presence... yeschecking for /usr/local/openssl-100/include/openssl/ocsp.h... yeschecking /usr/local/openssl-100/include/openssl/fips.h usability... nochecking /usr/local/openssl-100/include/openssl/fips.h presence... nochecking for /usr/local/openssl-100/include/openssl/fips.h... noconfigure: WARNING: OpenSSL fips header not foundconfigure: **************************************** write the resultsconfigure: creating ./config.status Restarting Stunnel with fips=yes gives me this [!] FIPS_mode_set: F06D065: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported[!] Line 35: "[webapp]": Failed to initialize SSL
The TODO file in Stunnel5.02 tarball has this * Support static FIPS-enabled build. Does this mean that it can only currently support a system that is fully fips enabled and not my static libraries that I use for building Stunnel? Thats what I get out of this. And upon further reading of the INSTALL.FIPS file I confirm this Unix HOWTO:* Only dynamic linking of the FIPS-enabled OpenSSL is currently supported, i.e. FIPS-enabled OpenSSL has to be configured with "shared" parameter. I cannot install it with dynamic libraries as I am required to build via the actual instructions for FIPS 140-2 compliance which implicitly states I cannot call out shared as part of the config options.
Mike Curran From: mike_curran@hotmail.com To: nobody@dizum.com Subject: RE: FIPS compliant Stunnel build Date: Wed, 23 Jul 2014 17:34:08 -0500
I have already requested the CD of software from OpenSSL -- that section does not really assist with the build functions. The FIPSDIR= option still did not allow Stunnel to autodiscover FIPS.h -- this is my openssl1.0.1h configure command openssl-fips-2.0.7 ./config ; make ; make install openssl-1.0.1h./config fips --openssldir=/usr/local/openssl-100 --with-fipslibdir=/usr/local/ssl/fips-2.0/lib --with-fipsdir=/usr/local/ssl/fips-2.0/ ; make depend ; make ; make test ; make install Stunnel5.02
I am not installling the newer copy of openssl to the rest of the system, just as libraries accessible to Stunnel for building with a version that is different than the OS installed openssl so as not to risk breaking ssh or OS Upgrade capabilities ./configure --with-ssl=/usr/local/openssl-100 --disable-libwrap ; make ; make install
During the Make phase it just says it cannot find fips.h but it says fips enabled -- but when I tell it to use FIPS I get checking whether to enable FIPS mode support... yesconfigure: **************************************** SSLchecking for SSL directory... /usr/local/openssl-100checking /usr/local/openssl-100/include/openssl/engine.h usability... yeschecking /usr/local/openssl-100/include/openssl/engine.h presence... yeschecking for /usr/local/openssl-100/include/openssl/engine.h... yeschecking /usr/local/openssl-100/include/openssl/ocsp.h usability... yeschecking /usr/local/openssl-100/include/openssl/ocsp.h presence... yeschecking for /usr/local/openssl-100/include/openssl/ocsp.h... yeschecking /usr/local/openssl-100/include/openssl/fips.h usability... nochecking /usr/local/openssl-100/include/openssl/fips.h presence... nochecking for /usr/local/openssl-100/include/openssl/fips.h... noconfigure: WARNING: OpenSSL fips header not foundconfigure: **************************************** write the resultsconfigure: creating ./config.status Restarting Stunnel with fips=yes gives me this [!] FIPS_mode_set: F06D065: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported[!] Line 35: "[webapp]": Failed to initialize SSL
The TODO file in Stunnel5.02 tarball has this * Support static FIPS-enabled build. Does this mean that it can only currently support a system that is fully fips enabled and not my static libraries that I use for building Stunnel? Thats what I get out of this. Mike Curran
From: nobody@dizum.com To: mike_curran@hotmail.com Subject: Re: FIPS compliant Stunnel build Date: Thu, 24 Jul 2014 00:00:37 +0200
it IS possible...
use FIPSDIR environment variable -- NOT any change to FIPS Object Module ./config command
BUT most important see:
6.6 The "Secure Installation" Issue
of
User Guide for the OpenSSL FIPS Object Module v2.0 (including v2.0.1, v2.0.2, v2.0.3, v2.0.4, v2.0.5, v2.0.6, v2.0.7)