Hello,
I am having difficulting when running stunnel in FIPS mode and using a SIGHUP to get stunnel to re-read it's configuration file (for instance if I've changed a port # or IP address for one of the connections). This causes stunnel to call the SSL routine FIPS_mode_set() a second time after receiving the SIGHUP, which in turn attempts to reinitialize SSL. Unfortunately, OpenSSL does not support calling FIPS_mode_set(1) more than once. The initialization of SSL becomes incomplete as a result of the 2nd call and subsequent attempts to use stunnel to establish encrypted connections fail.
Does anyone have any suggestions on how I can make this work (besides killing and restarting stunnel)?
If not, I have a proposed fix (and there are multiple ways that this could be addressed). Anyway, my suggestion is to add the following two lines to the ssl_configure() function (found in the file "ssl.c"), right before the current FIPS_mode_set() routine is called:
FIPS_mode_set(0);
RAND_set_rand_method(NULL);
The function currently looks like:
int ssl_configure(void) { /* configure global SSL settings */
#ifdef USE_FIPS
if(!FIPS_mode_set(global_options.option.fips)) {
ERR_load_crypto_strings();
sslerror("FIPS_mode_set");
return 0;
}
s_log(LOG_NOTICE, "FIPS mode %s",
global_options.option.fips ? "enabled" : "disabled");
#endif /* USE_FIPS */
:
:
}
With the suggested fix, it would look as follows:
int ssl_configure(void) { /* configure global SSL settings */
#ifdef USE_FIPS
FIPS_mode_set(0);
RAND_set_rand_method(NULL);
if(!FIPS_mode_set(global_options.option.fips)) {
ERR_load_crypto_strings();
sslerror("FIPS_mode_set");
return 0;
}
s_log(LOG_NOTICE, "FIPS mode %s",
global_options.option.fips ? "enabled" : "disabled");
#endif /* USE_FIPS */
:
:
}
Does the above seem reasonable. Could this change, or some other modification which would support using SIGHUP with FIPS, be considered for a future stunnel update?
Thanks for your help.