-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 24.03.2015 18:08, Rob Lockhart wrote:
That compiled version doesn't seem to be built with FIPS canister, as the log shows: "Compiled/running with OpenSSL 1.0.2a 19 Mar 2015" without a "-fips" appendage after the OpenSSL version. In other words, if it was built as FIPS-compliant, it would show: "Compiled/running with OpenSSL 1.0.2a-fips 19 Mar 2015"
"-fips" would indeed have been reported if I had included OpenSSL headers in a specific order. Namely, #include <openssl/opensslconf.h> needs to be before: #include <openssl/opensslv.h> . I will correct this issue in the next release of stunnel.
It may support the FIPS options (in the config file) but it's not FIPS-compliant.
Yes, it is. It just does not report it properly.
Specifically, FIPS-compliant does NOT imply that FIPS mode cannot be enabled. Am I understanding this correctly?
"fips = yes" option only works when OpenSSL is built with FIPS canister. It is "compliant" when built according to the FIPS Security Policy: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf , where building with FIPS canister is the most basic requirement.
Thank you very much for reporting this issue!
Mike