Many thanks Mehmet. Compiling openssl with the "shared" option helped. That resulted in the stunnel build process generating an stunnel executable that dynamically linked to libcrypto.so. With this configuration, the FIPS fingerprint is embedded in the shared library itself and the FIPS self-verification step succeeds.

Without the "shared" option, stunnel was linking in libcrypto.a statically. With this configuration, fipsld is needed to embed the FIPS fingerprint into the stunnel executable at compile time. However, this does not appear to be currently supported by the stunnel build process.

The reason openssl (application) worked in my examples below is that the openssl build process does support FIPS in both configurations: as-is when dynamically linked, and with fipsld when statically linked.

On Sun, Jul 7, 2013 at 11:43 PM, mehmet ozisik <mehmetzsk@gmail.com> wrote:

Hi,

I was having same error on x86. Then I have read this and followed the instructions written on this post, then it has worked successfully. Please have a look at this :

http://www.mail-archive.com/openssl-users@openssl.org/msg68085.html

Regards

Mehmet

2013/7/8 Ondrej Hrebicek <ondrej@gmail.com>

Hello stunnel users,

I'm trying to compile stunnel 4.56 with FIPS support on Ubuntu 12.04. Always end up with the infamous "fingerprint does not match" error. I can't figure out what I'm doing wrong.

1. Download openssl-fips-2.0.2.tar.gz, unpack, ./config, make, and sudo make install (as specified in http://www.openssl.org/docs/fips/UserGuide-2.0.pdf)

2. Download openssl-1.0.1e.tar.gz, unpack, ./config fips --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/ --with-fipsdir=/usr/local/ssl/fips-2.0/, make depend, make, and sudo make install

3. At this point, openssl is working in FIPS mode:
> OPENSSL_FIPS=1 /usr/local/ssl/bin/openssl version
  OpenSSL 1.0.1e-fips 11 Feb 2013

> OPENSSL_FIPS=1 /usr/local/ssl/bin/openssl sha1 c_rehash
  SHA1(c_rehash)= 5af9e1479950bbbd9d3304c181b3f802c54f64fd

> OPENSSL_FIPS=1 /usr/local/ssl/bin/openssl md5 c_rehash
Error setting digest md5
139806582736544:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:

4. Download stunnel-4.56.tar.gz, unpack, ./configure --enable-fips --with-ssl=/usr/local/ssl, make, and sudo make install

5. While configuring and building stunnel completes as expected, the following does appear in ./configure's output:

checking whether to enable FIPS mode support... yes
  configure: **************************************** SSL
  checking for SSL directory... /usr/local/ssl

  checking /usr/local/ssl/include/openssl/engine.h usability... yes
  checking /usr/local/ssl/include/openssl/engine.h presence... yes
  checking for /usr/local/ssl/include/openssl/engine.h... yes

  checking /usr/local/ssl/include/openssl/ocsp.h usability... yes
  checking /usr/local/ssl/include/openssl/ocsp.h presence... yes
  checking for /usr/local/ssl/include/openssl/ocsp.h... yes

  checking /usr/local/ssl/include/openssl/fips.h usability... no
  checking /usr/local/ssl/include/openssl/fips.h presence... no
  checking for /usr/local/ssl/include/openssl/fips.h... no

  configure: WARNING: OpenSSL fips header not found

This is not entirely unexpected as fips.h only exists in /usr/local/ssl/fips-2.0/include/openssl.

6. Running stunnel however fails:

> /usr/local/bin/stunnel
Clients allowed=500
  stunnel 4.56 on x86_64-unknown-linux-gnu platform
  Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013

  Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS
  Reading configuration from file /usr/local/etc/stunnel/stunnel.conf
  FIPS_mode_set: 2D06B06F: error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match

  Line 61: "[pop3s]": Failed to initialize SSL
  str_stats: 5 block(s), 120 data byte(s), 290 control byte(s)

I can't figure out what's causing this, hoping someone on the list may have a couple suggestions. Thanks in advance!

_______________________________________________
stunnel-users mailing list
stunnel-users@stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users