[stunnel-users] Modifying STunnel to use OpenSSL FIPS

David Gillingham dgillingham+stunnel at gmail.com
Mon Jun 12 16:04:56 CEST 2006


As part of an internal project at work, I'm investigating a Windows
tunneling solution using STunnel.  As a requirement of my work, I am
to modify STunnel to use OpenSSL's FIPS APIs.  And, with only a couple
of speedbumps, I was able to achieve this.

However I'd like to make my code a little more robust--to provide some
notification to the user if OpenSSL's FIPS mode is active or not.  To
this point I've not been able to figure out a way to do this.  In my
copy of the STunnel source, I've modified the routine ssl_init() in
ssl.c to make a call to FIPS_mode_set(1) (as demonstrated on page 33
of http://www.openssl.org/docs/fips/UserGuide-1.0.pdf).  Below is a
copy of my current copy of ssl_init():

void ssl_init(void) { /* to keep CLI structure for verify callback */
#if defined(OPENSSL_FIPS) && defined(USE_FIPS)
   if (!FIPS_mode_set(1))
   {
      s_log(LOG_CRIT, "Could not set FIPS mdoe!");
   }
   else
   {
      s_log(LOG_INFO, "In FIPS mode.");
   }
#endif
   /* rest of ssl_init() from original source */
}

As I've found out, the s_log calls do nothing because the STunnel
window has not been displayed yet.  Ideally, in the case where the
FIPS_mode_set() call fails, I'd like to invoke an error handler to
cause the STunnel service to fail to start.  But trying to make a call
to something like sslerror() caused a program crash.  Any ideas on how
to make these changes?



More information about the stunnel-users mailing list