As part of an internal project at work, I'm investigating a Windows tunneling solution using STunnel. As a requirement of my work, I am to modify STunnel to use OpenSSL's FIPS APIs. And, with only a couple of speedbumps, I was able to achieve this.
However I'd like to make my code a little more robust--to provide some notification to the user if OpenSSL's FIPS mode is active or not. To this point I've not been able to figure out a way to do this. In my copy of the STunnel source, I've modified the routine ssl_init() in ssl.c to make a call to FIPS_mode_set(1) (as demonstrated on page 33 of http://www.openssl.org/docs/fips/UserGuide-1.0.pdf). Below is a copy of my current copy of ssl_init():
void ssl_init(void) { /* to keep CLI structure for verify callback */ #if defined(OPENSSL_FIPS) && defined(USE_FIPS) if (!FIPS_mode_set(1)) { s_log(LOG_CRIT, "Could not set FIPS mdoe!"); } else { s_log(LOG_INFO, "In FIPS mode."); } #endif /* rest of ssl_init() from original source */ }
As I've found out, the s_log calls do nothing because the STunnel window has not been displayed yet. Ideally, in the case where the FIPS_mode_set() call fails, I'd like to invoke an error handler to cause the STunnel service to fail to start. But trying to make a call to something like sslerror() caused a program crash. Any ideas on how to make these changes?
On Monday 12 June 2006 16:04, David Gillingham wrote:
As I've found out, the s_log calls do nothing because the STunnel window has not been displayed yet. Ideally, in the case where the FIPS_mode_set() call fails, I'd like to invoke an error handler to cause the STunnel service to fail to start. But trying to make a call to something like sslerror() caused a program crash. Any ideas on how to make these changes?
Great. I've just found a solution for this problem and I'm going to implement it in the next release. The log will be buffered in memory and than displayed later.
Best regards, Mike
Thanks for the quick response, Michal. There's another item in my original message that I'd like you to address. I want the consequences of the FIPS_mode_set() call failing to be a little more severe than just an error message being logged. I'd like it to trigger the "Stunnel is down due to an error...Click OK to the see the error log window." message box and not accept connections. I noticed that some of the other routines in ssl.c use sslerror(), but calling that caused a program crash.
So given my original code, I'd like it to eventually look something like this: #if defined(OPENSSL_FIPS) && defined(USE_FIPS) if (!FIPS_mode_set(1)) { /* OpenSSL could not be set to use FIPS mode */ /* Since we only want to use FIPS mode, throw error message and do not let stunnel accept network connections */ throw_error("Could not change to FIPS mode!");
} else { s_log(LOG_INFO, "In FIPS mode."); } #endif /* rest of ssl_init() from original source */ }
Which function should I call to achieve this?
On Tuesday 13 June 2006 21:25, David Gillingham wrote:
I'd like it to trigger the "Stunnel is down due to an error...Click OK to the see the error log window." message box and not accept connections.
exit() currently does it for you on Win32. In common.h you'll find: #define exit(c) exit_stunnel(c) Not really good style. I'm going to redesign this code one day.
I noticed that some of the other routines in ssl.c use sslerror(), but calling that caused a program crash.
Maybe that's because you're trying to use error strings before loading them with SSL_load_error_strings(). 8-)
Best regards, Mike
-
David Gillingham -
Michal Trojnara