Michael Curran wrote:
I cannot install it with dynamic libraries as I am required to build via the actual instructions for FIPS 140-2 compliance which implicitly states I cannot call out shared as part of the config options.
Please let me give you a high-level overview of building stunnel with FIPS support. The process consists of three steps: 1. You need to build the FIPS canister. This canister contains all the cryptographic operations operations allowed for use in FIPS mode. 2. You need to build OpenSSL shared libraries using the FIPS container build in step (1). 3. You need to build stunnel with the OpenSSL libraries built in step (2).
The requirements for config options *only* apply to step (1).
You should verify step (2) with "openssl version". The output should be something like: OpenSSL 1.0.1h-fips 5 Jun 2014 Please note "fips" in the OpenSSL version.
Then, you should verify step (3) with "stunnel -version". The output should contain something like: Compiled/running with OpenSSL 1.0.1h-fips 5 Jun 2014 Please note "fips" in the OpenSSL version.
If you have both FIPS and non-FIPS OpenSSL libraries you should make sure that the proper one is used. On Linux you can do it either globally using the /etc/ld.so.conf file, or within the current session using the LD_LIBRARY_PATH environmental variable.
BTW: You can safely ignore the stunnel warning about fips.h. The recent versions of stunnel no longer directly use this file. The warning will be removed in the next release of stunnel.
Mike