I apologize if this was asked in the past. I couldn't find any references to my question in the lists except this (related but not answering the question): http://www.stunnel.org/pipermail/stunnel-users/2014-July/004673.html http://www.stunnel.org/pipermail/stunnel-users/2012-November/003963.html
I understand how to compile Stunnel from source, and the FIPS canister for OpenSSL, then build OpenSSL with this FIPS canister, then build Stunnel using that OpenSSL. My question is for the Windows version with filename "stunnel-5.13-installer.exe". That compiled version doesn't seem to be built with FIPS canister, as the log shows: "Compiled/running with OpenSSL 1.0.2a 19 Mar 2015" without a "-fips" appendage after the OpenSSL version. In other words, if it was built as FIPS-compliant, it would show: "Compiled/running with OpenSSL 1.0.2a-fips 19 Mar 2015"
It may support the FIPS options (in the config file) but it's not FIPS-compliant. I also assume that this doesn't preclude the FIPS options in the config file from working. Specifically, FIPS-compliant does NOT imply that FIPS mode cannot be enabled. Am I understanding this correctly?
Thanks, -Rob
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 24.03.2015 18:08, Rob Lockhart wrote:
That compiled version doesn't seem to be built with FIPS canister, as the log shows: "Compiled/running with OpenSSL 1.0.2a 19 Mar 2015" without a "-fips" appendage after the OpenSSL version. In other words, if it was built as FIPS-compliant, it would show: "Compiled/running with OpenSSL 1.0.2a-fips 19 Mar 2015"
"-fips" would indeed have been reported if I had included OpenSSL headers in a specific order. Namely, #include <openssl/opensslconf.h> needs to be before: #include <openssl/opensslv.h> . I will correct this issue in the next release of stunnel.
It may support the FIPS options (in the config file) but it's not FIPS-compliant.
Yes, it is. It just does not report it properly.
Specifically, FIPS-compliant does NOT imply that FIPS mode cannot be enabled. Am I understanding this correctly?
"fips = yes" option only works when OpenSSL is built with FIPS canister. It is "compliant" when built according to the FIPS Security Policy: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf , where building with FIPS canister is the most basic requirement.
Thank you very much for reporting this issue!
Mike
On Wed, Mar 25, 2015 at 10:15 AM, Michal Trojnara Michal.Trojnara@mirt.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 24.03.2015 18:08, Rob Lockhart wrote:
That compiled version doesn't seem to be built with FIPS canister, as the log shows: "Compiled/running with OpenSSL 1.0.2a 19 Mar 2015" without a "-fips" appendage after the OpenSSL version. In other words, if it was built as FIPS-compliant, it would show: "Compiled/running with OpenSSL 1.0.2a-fips 19 Mar 2015"
"-fips" would indeed have been reported if I had included OpenSSL headers in a specific order. Namely, #include <openssl/opensslconf.h> needs to be before: #include <openssl/opensslv.h> . I will correct this issue in the next release of stunnel.
It may support the FIPS options (in the config file) but it's not FIPS-compliant.
Yes, it is. It just does not report it properly.
Specifically, FIPS-compliant does NOT imply that FIPS mode cannot be enabled. Am I understanding this correctly?
"fips = yes" option only works when OpenSSL is built with FIPS canister. It is "compliant" when built according to the FIPS Security Policy: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf , where building with FIPS canister is the most basic requirement.
Thank you very much for reporting this issue!
Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iQIcBAEBAgAGBQJVEsMJAAoJEC78f/DUFuAUurMP/0x22iuBxq7ch5LJlEb/nMXo Fq357toWkGcXNF11o6arEXsCemmAE+muOwJ9WtIsYE+1a8pU6VAPMZA+msralQ1F xjnYDEarBlmgmUEA+knvmvaVPBSiyQDl5pMptcKDZ1jErui2IsafrZRgd0IUhb/f o+5wBh/oT2z5GaOAGKGMIswf03W9KUE5xv3IWdCQO4Usli/vK7jx6rd2tDde54j6 Vgh8uImNOxtycZLjMxhMiPwlFXG8XDXHZXkxFTwzVJdB+UTMgwZCDHayQEyunqsh V2x4qL7EbWMrMZwzmRfu9HdaEZVMLm22HMgy1QjuISCZsmaq2wvCqM3IhAJYjvIL uSxMuXE8bj4Hbr9naaPnDzWN0SdHHt80w4mVy//tIgimNB7nC5+hkZ4FyXCMusLD WavLaM8SbARrwyq60F7VtkQFgInB2ucXltF8VDoNHKzDUMSG7ZHUY0cxst78xCT1 GFnLjrCnVBWOtlo/62dNj/uHd1Rkf55p1lDzOOQdaOqMpO5w070ATbIEq5GRARu3 MX9Ulo0JZEp/D3Y7ZlWkEzfSrmRzyl3VKvS9WEV809pAm1SF0Kr0tWduLWXfJbU/ o+VwSR4/dHp9vNxrcrkz7gqBfl3nx6DO1iy8ZoZNpHh2jKcEYk78VqSL11eHNfgX iIaYh7Wia+6yWwX6DtVs =CnaE -----END PGP SIGNATURE-----
Thanks for your follow-up; I assumed that it was a cosmetic error and not a build issue too after seeing that "openssl.exe" was included in the install directory. Running "openssl.exe version" in a CMD prompt showed the "-fips" appendage. Thanks for fixing stunnel!
-Rob
-
Michal Trojnara -
Rob Lockhart