The documentation on fips= seems ambiguous to me ... does leaving it at the default of "yes" /prevent/ FIPS 140-2 compliance mode, or mandate it? Or does it do something else I'm not understanding?
Basically, the q. is, what do you have to configure to ensure that you're operating in a FIPS 140-2 compliant manner (at least, as the version of OpenSSL libs bundled understood it)? Do you have to specify ciphers that are validated, etc.? Or just set that config option to "yes" ("no"?)?
And how can one tell if the stunnel binary in use was compiled with FIPS support active? (I'm using the Windows 4.33 binary d/l'ed from mirt.net).
Tia!
---- David G. Bucci
Chuck Norris can kick through all 6 degrees of separation, hitting anyone, anywhere, in the face, at any time. -- ChuckNorrisFacts.com
Bucci, David G wrote:
The documentation on fips= seems ambiguous to me ... does leaving it at the default of "yes" /prevent/ FIPS 140-2 compliance mode, or mandate
it?
Or does it do something else I'm not understanding?
Basically, the q. is, what do you have to configure to ensure that
you're
operating in a FIPS 140-2 compliant manner (at least, as the version of OpenSSL libs bundled understood it)? Do you have to specify ciphers
that
are validated, etc.? Or just set that config option to "yes" ("no"?)?
And how can one tell if the stunnel binary in use was compiled with FIPS support active? (I'm using the Windows 4.33 binary d/l'ed from
mirt.net).
If detected by ./configure, FIPS is enabled by default. You can disable it with global option.
"stunnel -version" will tell you if it's compiled with FIPS support.
INSTALL.FIPS file distributed with stunnel should answer your remaining questions:
FIPS support status: - Unix platforms are currently supported. - Win32 platform is currently unsupported due to some problems with building and linking FIPS-enabled OpenSSL DLLs.
Unix HOWTO: FIPS mode is autodetected if possible. You can force it with: ./configure --enable-fips or disable with: ./configure --disable-fips
Preliminary WIN32 HOWTO (does NOT work, now): - Download and install ActivePerl: http://www.activestate.com/Products/activeperl/ - Download and install MinGW-5.1.3.exe: http://www.mingw.org/download.shtml#hdr2 Also select "g++ compiler" for installation - Download and install MSYS-1.0.10.exe: http://www.mingw.org/download.shtml#hdr2 - Download OpenSSL FIPS: http://www.openssl.org/source/openssl-fips-1.1.2.tar.gz - Execute MSYS and unpack OpenSSL: tar -xzf /c/downloads/openssl-fips-1.1.2.tar.gz - Build the OpenSSL: cd openssl-fips-1.1.2 ./config fips make make install cd /usr/local/ssl/lib ar xv `gcc -print-libgcc-file-name` _chkstk.o _udivdi3.o _umoddi3.o mkdir /c/fipscanister/ cp _* fips* /c/fipscanister/ exit - Download and unpack OpenSSL 0.9.7m: http://www.openssl.org/source/openssl-0.9.7m.tar.gz - Download and install Visual C++ 2008 Express Edition: http://www.microsoft.com/express/vc/ - Execute "Open Visual Studio 2008 Command Prompt" and build OpenSSL: perl Configure VC-WIN32 fips --with-fipslibdir=c:\fipscanister ms\do_ms nmake -f ms\ntdll.mak
Best regards, Michal Trojnara
-
Bucci, David G -
Michal Trojnara