[stunnel-users] Modifying STunnel to use OpenSSL FIPS
David Gillingham
dgillingham+stunnel at gmail.com
Mon Jun 12 16:04:56 CEST 2006
As part of an internal project at work, I'm investigating a Windows
tunneling solution using STunnel. As a requirement of my work, I am
to modify STunnel to use OpenSSL's FIPS APIs. And, with only a couple
of speedbumps, I was able to achieve this.
However I'd like to make my code a little more robust--to provide some
notification to the user if OpenSSL's FIPS mode is active or not. To
this point I've not been able to figure out a way to do this. In my
copy of the STunnel source, I've modified the routine ssl_init() in
ssl.c to make a call to FIPS_mode_set(1) (as demonstrated on page 33
of http://www.openssl.org/docs/fips/UserGuide-1.0.pdf). Below is a
copy of my current copy of ssl_init():
void ssl_init(void) { /* to keep CLI structure for verify callback */
#if defined(OPENSSL_FIPS) && defined(USE_FIPS)
if (!FIPS_mode_set(1))
{
s_log(LOG_CRIT, "Could not set FIPS mdoe!");
}
else
{
s_log(LOG_INFO, "In FIPS mode.");
}
#endif
/* rest of ssl_init() from original source */
}
As I've found out, the s_log calls do nothing because the STunnel
window has not been displayed yet. Ideally, in the case where the
FIPS_mode_set() call fails, I'd like to invoke an error handler to
cause the STunnel service to fail to start. But trying to make a call
to something like sslerror() caused a program crash. Any ideas on how
to make these changes?
More information about the stunnel-users
mailing list