I am having a problem with compiling with fips enable mode on. The default is suppose to fips enabled but when the configure runs with no options it states that fips is not enabled and the make runs successfully. When I use the –enable-fips option, the configure runs just fine but the make fails with : In file included from common.h:374, from file.c:38: /usr/include/openssl/fips.h:69:2: error: #error FIPS is disabled. make: 1254-004 The error code from the last command is 1.
Stop. make: 1254-004 The error code from the last command is 1.
Stop. IBM support assures me that FIPS is enabled. At this point I am stuck and do not know what to do next. Can anyone offer any suggestions? My system, oslevel, ssl level, etc… are as follows:
$ uname -a AIX velssi02 3 5 00C866124C00
$oslevel –s AIX 5300-12-02-1036
$ lslpp -l | grep libc bos.rte.libc 5.3.12.2 COMMITTED libc Library bos.rte.libcfg 5.3.12.1 COMMITTED libcfg Library bos.rte.libcur 5.3.11.0 COMMITTED libcurses Library
$ gcc -v Using built-in specs. Target: powerpc-ibm-aix5.3.0.0 Configured with: ../configure --with-as=/usr/bin/as --with-ld=/usr/bin/ld --enable-languages=c,c++,java --prefix=/opt/freeware --enable-threads --enable-version-specific-runtime-libs --host=powerpc-ibm-aix5.3.0.0 --target=powerpc-ibm-aix5.3.0.0 --build=powerpc-ibm-aix5.3.0.0 --disable-libjava-multilib Thread model: aix gcc version 4.2.0
$ ssh –V OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
stunnel-4.34
$ /usr/local/bin/stunnel/stunnel -version stunnel 4.32 on powerpc-ibm-aix5.3.0.0 with OpenSSL 0.9.8k-fips 25 Mar 2009 Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6
Global options debug = daemon.notice pid = /usr/local/var/run/stunnel/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes
Service-level options cert = /usr/local/etc/stunnel/stunnel.pem ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH session = 300 seconds stack = 65536 bytes sslVersion = SSLv3 for client, all for server TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none
Lewis, Joseph E Sr Mr CTR USA USA wrote:
When I use the –enable-fips option, the configure runs just fine but the make fails with : In file included from common.h:374, from file.c:38: /usr/include/openssl/fips.h:69:2: error: #error FIPS is disabled. make: 1254-004 The error code from the last command is 1.
[cut]
IBM support assures me that FIPS is enabled.
[cut]
stunnel 4.32 on powerpc-ibm-aix5.3.0.0 with OpenSSL 0.9.8k-fips 25 Mar 2009
Yes, it looks like FIPS is indeed enabled in your OpenSSL library. On the other hand it looks like FIPS support is *not* enabled in your OpenSSL headers.
The corresponding code in fips.h is: #include <openssl/opensslconf.h> #ifndef OPENSSL_FIPS #error FIPS is disabled. #endif
See the output of stunnel ./configure script and look for SSL configuration. You'll find the directory that stunnel gets its OpenSSL headers and libraries from. Maybe you have more than one instance of OpenSSL installed, and stunnel finds not the one with FIPS enabled?
The best solution would be to use header files configured with FIPS support. Alternatively you could manually add: #define OPENSSL_FIPS to your opensslconf.h.
Mike
Thanks Michal for your response. We got it figured out. First we had to set the environment variables: $> export CFLAGS="-DSYSV -D_AIX -D_AIX53 -D_ALL_SOURCE -O2 –DOPENSSL_FIPS" $> export CC="gcc"
Then we ran the configure command with the following options: $> ./configure --prefix=<install_dir> --enable-fips
Then environment variable allows stunnel to compile correctly; we then followed that up with the make and the make install command and everything completed just fine. Thanks again.
----- Original Message ----- From: Michal Trojnara Michal.Trojnara@mirt.net Date: Sunday, January 30, 2011 13:09 Subject: Re: [stunnel-users] Compiling with ./configure --enable-fips option To: stunnel-users@stunnel.org
Lewis, Joseph E Sr Mr CTR USA USA wrote:
When I use the –enable-fips option, the configure runs just fine
but
the make fails with : In file included from common.h:374, from file.c:38: /usr/include/openssl/fips.h:69:2: error: #error FIPS is disabled. make: 1254-004 The error code from the last command is 1.
[cut]
IBM support assures me that FIPS is enabled.
[cut]
stunnel 4.32 on powerpc-ibm-aix5.3.0.0 with OpenSSL 0.9.8k-fips
25
Mar 2009
Yes, it looks like FIPS is indeed enabled in your OpenSSL library. On the other hand it looks like FIPS support is *not* enabled in your
OpenSSL headers.
The corresponding code in fips.h is: #include < #ifndef OPENSSL_FIPS #error FIPS is disabled. #endif
See the output of stunnel ./configure script and look for SSL configuration. You'll find the directory that stunnel gets its OpenSSL headers and libraries from. Maybe you have more than one instance of OpenSSL installed, and stunnel finds not the one with FIPS enabled?
The best solution would be to use header files configured with FIPS support. Alternatively you could manually add: #define OPENSSL_FIPS to your opensslconf.h.
Mike _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-
Lewis, Joseph E Sr Mr CTR USA USA -
Michal Trojnara