Many thanks Mehmet. Compiling openssl with the "shared" option helped. That resulted in the stunnel build process generating an stunnel executable that dynamically linked to libcrypto.so. With this configuration, the FIPS fingerprint is embedded in the shared library itself and the FIPS self-verification step succeeds.
Without the "shared" option, stunnel was linking in libcrypto.a statically. With this configuration, fipsld is needed to embed the FIPS fingerprint into the stunnel executable at compile time. However, this does not appear to be currently supported by the stunnel build process.
The reason openssl (application) worked in my examples below is that the openssl build process does support FIPS in both configurations: as-is when dynamically linked, and with fipsld when statically linked.
On Sun, Jul 7, 2013 at 11:43 PM, mehmet ozisik mehmetzsk@gmail.com wrote:
Hi,
I was having same error on x86. Then I have read this and followed the instructions written on this post, then it has worked successfully. Please have a look at this :
http://www.mail-archive.com/openssl-users@openssl.org/msg68085.html
Regards Mehmet
2013/7/8 Ondrej Hrebicek ondrej@gmail.com
Hello stunnel users,
I'm trying to compile stunnel 4.56 with FIPS support on Ubuntu 12.04. Always end up with the infamous "fingerprint does not match" error. I can't figure out what I'm doing wrong.
- Download openssl-fips-2.0.2.tar.gz, unpack, ./config, make, and sudo
make install (as specified in http://www.openssl.org/docs/fips/UserGuide-2.0.pdf)
- Download openssl-1.0.1e.tar.gz, unpack, ./config fips
--with-fipslibdir=/usr/local/ssl/fips-2.0/lib/ --with-fipsdir=/usr/local/ssl/fips-2.0/, make depend, make, and sudo make install
At this point, openssl is working in FIPS mode:
OPENSSL_FIPS=1 /usr/local/ssl/bin/openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
OPENSSL_FIPS=1 /usr/local/ssl/bin/openssl sha1 c_rehash
SHA1(c_rehash)= 5af9e1479950bbbd9d3304c181b3f802c54f64fd
OPENSSL_FIPS=1 /usr/local/ssl/bin/openssl md5 c_rehash
Error setting digest md5 139806582736544:error:060A80A3:digital envelope
routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:
- Download stunnel-4.56.tar.gz, unpack, ./configure --enable-fips
--with-ssl=/usr/local/ssl, make, and sudo make install
- While configuring and building stunnel completes as expected, the
following does appear in ./configure's output:
checking whether to enable FIPS mode support... yes configure: **************************************** SSL checking for SSL directory... /usr/local/ssl checking /usr/local/ssl/include/openssl/engine.h usability... yes checking /usr/local/ssl/include/openssl/engine.h presence... yes checking for /usr/local/ssl/include/openssl/engine.h... yes checking /usr/local/ssl/include/openssl/ocsp.h usability... yes checking /usr/local/ssl/include/openssl/ocsp.h presence... yes checking for /usr/local/ssl/include/openssl/ocsp.h... yes checking /usr/local/ssl/include/openssl/fips.h usability... no checking /usr/local/ssl/include/openssl/fips.h presence... no checking for /usr/local/ssl/include/openssl/fips.h... no configure: WARNING: OpenSSL fips header not foundThis is not entirely unexpected as fips.h only exists in /usr/local/ssl/fips-2.0/include/openssl.
Running stunnel however fails:
/usr/local/bin/stunnel
Clients allowed=500 stunnel 4.56 on x86_64-unknown-linux-gnu platform Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013 Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Reading configuration from file /usr/local/etc/stunnel/stunnel.conf FIPS_mode_set: 2D06B06F: error:2D06B06F:FIPS
routines:FIPS_check_incore_fingerprint:fingerprint does not match Line 61: "[pop3s]": Failed to initialize SSL str_stats: 5 block(s), 120 data byte(s), 290 control byte(s)
I can't figure out what's causing this, hoping someone on the list may have a couple suggestions. Thanks in advance!
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users