I have already requested the CD of software from OpenSSL -- that section does not really assist with the build functions. The FIPSDIR= option still did not allow Stunnel to autodiscover FIPS.h -- this is my openssl1.0.1h configure command openssl-fips-2.0.7 ./config ; make ; make install openssl-1.0.1h./config fips --openssldir=/usr/local/openssl-100 --with-fipslibdir=/usr/local/ssl/fips-2.0/lib --with-fipsdir=/usr/local/ssl/fips-2.0/ ; make depend ; make ; make test ; make install Stunnel5.02
I am not installling the newer copy of openssl to the rest of the system, just as libraries accessible to Stunnel for building with a version that is different than the OS installed openssl so as not to risk breaking ssh or OS Upgrade capabilities ./configure --with-ssl=/usr/local/openssl-100 --disable-libwrap ; make ; make install
During the Make phase it just says it cannot find fips.h but it says fips enabled -- but when I tell it to use FIPS I get checking whether to enable FIPS mode support... yesconfigure: **************************************** SSLchecking for SSL directory... /usr/local/openssl-100checking /usr/local/openssl-100/include/openssl/engine.h usability... yeschecking /usr/local/openssl-100/include/openssl/engine.h presence... yeschecking for /usr/local/openssl-100/include/openssl/engine.h... yeschecking /usr/local/openssl-100/include/openssl/ocsp.h usability... yeschecking /usr/local/openssl-100/include/openssl/ocsp.h presence... yeschecking for /usr/local/openssl-100/include/openssl/ocsp.h... yeschecking /usr/local/openssl-100/include/openssl/fips.h usability... nochecking /usr/local/openssl-100/include/openssl/fips.h presence... nochecking for /usr/local/openssl-100/include/openssl/fips.h... noconfigure: WARNING: OpenSSL fips header not foundconfigure: **************************************** write the resultsconfigure: creating ./config.status Restarting Stunnel with fips=yes gives me this [!] FIPS_mode_set: F06D065: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported[!] Line 35: "[webapp]": Failed to initialize SSL
The TODO file in Stunnel5.02 tarball has this * Support static FIPS-enabled build. Does this mean that it can only currently support a system that is fully fips enabled and not my static libraries that I use for building Stunnel? Thats what I get out of this. And upon further reading of the INSTALL.FIPS file I confirm this Unix HOWTO:* Only dynamic linking of the FIPS-enabled OpenSSL is currently supported, i.e. FIPS-enabled OpenSSL has to be configured with "shared" parameter. I cannot install it with dynamic libraries as I am required to build via the actual instructions for FIPS 140-2 compliance which implicitly states I cannot call out shared as part of the config options.
Mike Curran From: mike_curran@hotmail.com To: nobody@dizum.com Subject: RE: FIPS compliant Stunnel build Date: Wed, 23 Jul 2014 17:34:08 -0500
I have already requested the CD of software from OpenSSL -- that section does not really assist with the build functions. The FIPSDIR= option still did not allow Stunnel to autodiscover FIPS.h -- this is my openssl1.0.1h configure command openssl-fips-2.0.7 ./config ; make ; make install openssl-1.0.1h./config fips --openssldir=/usr/local/openssl-100 --with-fipslibdir=/usr/local/ssl/fips-2.0/lib --with-fipsdir=/usr/local/ssl/fips-2.0/ ; make depend ; make ; make test ; make install Stunnel5.02
I am not installling the newer copy of openssl to the rest of the system, just as libraries accessible to Stunnel for building with a version that is different than the OS installed openssl so as not to risk breaking ssh or OS Upgrade capabilities ./configure --with-ssl=/usr/local/openssl-100 --disable-libwrap ; make ; make install
During the Make phase it just says it cannot find fips.h but it says fips enabled -- but when I tell it to use FIPS I get checking whether to enable FIPS mode support... yesconfigure: **************************************** SSLchecking for SSL directory... /usr/local/openssl-100checking /usr/local/openssl-100/include/openssl/engine.h usability... yeschecking /usr/local/openssl-100/include/openssl/engine.h presence... yeschecking for /usr/local/openssl-100/include/openssl/engine.h... yeschecking /usr/local/openssl-100/include/openssl/ocsp.h usability... yeschecking /usr/local/openssl-100/include/openssl/ocsp.h presence... yeschecking for /usr/local/openssl-100/include/openssl/ocsp.h... yeschecking /usr/local/openssl-100/include/openssl/fips.h usability... nochecking /usr/local/openssl-100/include/openssl/fips.h presence... nochecking for /usr/local/openssl-100/include/openssl/fips.h... noconfigure: WARNING: OpenSSL fips header not foundconfigure: **************************************** write the resultsconfigure: creating ./config.status Restarting Stunnel with fips=yes gives me this [!] FIPS_mode_set: F06D065: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported[!] Line 35: "[webapp]": Failed to initialize SSL
The TODO file in Stunnel5.02 tarball has this * Support static FIPS-enabled build. Does this mean that it can only currently support a system that is fully fips enabled and not my static libraries that I use for building Stunnel? Thats what I get out of this. Mike Curran
From: nobody@dizum.com To: mike_curran@hotmail.com Subject: Re: FIPS compliant Stunnel build Date: Thu, 24 Jul 2014 00:00:37 +0200
it IS possible...
use FIPSDIR environment variable -- NOT any change to FIPS Object Module ./config command
BUT most important see:
6.6 The "Secure Installation" Issue
of
User Guide for the OpenSSL FIPS Object Module v2.0 (including v2.0.1, v2.0.2, v2.0.3, v2.0.4, v2.0.5, v2.0.6, v2.0.7)
Michael Curran wrote:
I cannot install it with dynamic libraries as I am required to build via the actual instructions for FIPS 140-2 compliance which implicitly states I cannot call out shared as part of the config options.
Please let me give you a high-level overview of building stunnel with FIPS support. The process consists of three steps: 1. You need to build the FIPS canister. This canister contains all the cryptographic operations operations allowed for use in FIPS mode. 2. You need to build OpenSSL shared libraries using the FIPS container build in step (1). 3. You need to build stunnel with the OpenSSL libraries built in step (2).
The requirements for config options *only* apply to step (1).
You should verify step (2) with "openssl version". The output should be something like: OpenSSL 1.0.1h-fips 5 Jun 2014 Please note "fips" in the OpenSSL version.
Then, you should verify step (3) with "stunnel -version". The output should contain something like: Compiled/running with OpenSSL 1.0.1h-fips 5 Jun 2014 Please note "fips" in the OpenSSL version.
If you have both FIPS and non-FIPS OpenSSL libraries you should make sure that the proper one is used. On Linux you can do it either globally using the /etc/ld.so.conf file, or within the current session using the LD_LIBRARY_PATH environmental variable.
BTW: You can safely ignore the stunnel warning about fips.h. The recent versions of stunnel no longer directly use this file. The warning will be removed in the next release of stunnel.
Mike
-
Michael Curran -
Michal Trojnara