Hello
I think there is a bit of confusion within my company on what stunnel can do in regards to FIPS 140-2 out of the box. I know there are configuration options that can enable or disable FIPS 140-2 mode, but as the man page indicates
fips = yes | no Enable or disable FIPS 140-2 mode. This option allows to disable entering FIPS mode if stunnel was compiled with FIPS 140-2 support. default: yesWhich to me says I have to compile stunnel on my own using openssl with fips libraries to build a Stunnel binary that can support FIPS 140-2 compliance -- if I download just the windows or unix binaries and install them -- then I am not going to be 140-2 compliant where I set the config file to yes or no , since the FIPS modules wont be compiled into the binary. I'm just looking for confirmation before I take this back to the rest of my group.
Thanks!! Michael Curran
Yes, from INSTALL.FIPS in the stunnel tarball
stunnel FIPS install notes
Unix HOWTO: FIPS mode is autodetected if possible. You can force it with: ./configure --enable-fips or disable with: ./configure --disable-fips
WIN32 HOWTO: * On 32-bit Windows install one of the following compilers: - MSVC 8.0 (VS 2005) Standard or Professional Edition - MSVC 9.0 (VS 2008) any edition including Express Edition * On 64-bit Windows install one of the following compilers: - MSVC 8.0 (VS 2005) Standard or Professional Edition - MSVC 9.0 (VS 2008) Standard or Professional Edition * Build FIPS-compliant OpenSSL DLLS according to: http://www.openssl.org/docs/fips/UserGuide-1.2.pdf * Build stunnel normally with MSVC or Mingw. Mingw build requires DLL stubs. Stubs can be built with: dlltool --def ms/libeay32.def --output-lib libcrypto.a dlltool --def ms/ssleay32.def --output-lib libssl.a
On Mon, Nov 5, 2012 at 4:18 PM, Michael Curran mike_curran@hotmail.comwrote:
Hello
I think there is a bit of confusion within my company on what stunnel can do in regards to FIPS 140-2 out of the box. I know there are configuration options that can enable or disable FIPS 140-2 mode, but as the man page indicates
*fips = yes | no* Enable or disable FIPS 140-2 mode. This option allows to disable entering FIPS mode if stunnel was compiled with FIPS 140-2 support. default: yes Which to me says I have to compile stunnel on my own using openssl with fips libraries to build a Stunnel binary that can support FIPS 140-2 compliance -- if I download just the windows or unix binaries and install them -- then I am not going to be 140-2 compliant where I set the config file to yes or no , since the FIPS modules wont be compiled into the binary.
I'm just looking for confirmation before I take this back to the rest of my group.
Thanks!!
Michael Curran
stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
On 2012-11-05 22:18, Michael Curran wrote: > **fips* = yes | no*
Enable or disable FIPS 140-2 mode. This option allows to disable entering FIPS mode if stunnel was compiled with FIPS 140-2 support. default: yesWhich to me says I have to compile stunnel on my own using openssl with fips libraries to build a Stunnel binary that can support FIPS 140-2 compliance -- if I download just the windows or unix binaries and install them -- then I am not going to be 140-2 compliant where I set the config file to yes or no , since the FIPS modules wont be compiled into the binary.
My Windows binary is built to meet requirements of the OpenSSL FIPS security policy. AFAIK some other vendors also build with their binary distributions of stunnel with FIPS mode enabled.
BTW: "fips" option is only available when stunnel is built with FIPS support. FIPS mode is also clearly logged on startup.
Mike
-
Brian Wilkins -
Michael Curran -
Michal Trojnara