Hello,
I am having difficulting when running stunnel in FIPS mode and using a SIGHUP to get stunnel to re-read it's configuration file (for instance if I've changed a port # or IP address for one of the connections). This causes stunnel to call the SSL routine FIPS_mode_set() a second time after receiving the SIGHUP, which in turn attempts to reinitialize SSL. Unfortunately, OpenSSL does not support calling FIPS_mode_set(1) more than once. The initialization of SSL becomes incomplete as a result of the 2nd call and subsequent attempts to use stunnel to establish encrypted connections fail.
Does anyone have any suggestions on how I can make this work (besides killing and restarting stunnel)?
If not, I have a proposed fix (and there are multiple ways that this could be addressed). Anyway, my suggestion is to add the following two lines to the ssl_configure() function (found in the file "ssl.c"), right before the current FIPS_mode_set() routine is called:
FIPS_mode_set(0); RAND_set_rand_method(NULL);
The function currently looks like:
int ssl_configure(void) { /* configure global SSL settings */ #ifdef USE_FIPS if(!FIPS_mode_set(global_options.option.fips)) { ERR_load_crypto_strings(); sslerror("FIPS_mode_set"); return 0; } s_log(LOG_NOTICE, "FIPS mode %s", global_options.option.fips ? "enabled" : "disabled"); #endif /* USE_FIPS */ : : }
With the suggested fix, it would look as follows:
int ssl_configure(void) { /* configure global SSL settings */ #ifdef USE_FIPS FIPS_mode_set(0); RAND_set_rand_method(NULL); if(!FIPS_mode_set(global_options.option.fips)) { ERR_load_crypto_strings(); sslerror("FIPS_mode_set"); return 0; } s_log(LOG_NOTICE, "FIPS mode %s", global_options.option.fips ? "enabled" : "disabled"); #endif /* USE_FIPS */ : : }
Does the above seem reasonable. Could this change, or some other modification which would support using SIGHUP with FIPS, be considered for a future stunnel update?
Thanks for your help.