[stunnel-users] FIPS compliance
Michal Trojnara
Michal.Trojnara at mirt.net
Tue Sep 21 16:44:24 CEST 2010
Bucci, David G wrote:
> The documentation on fips= seems ambiguous to me ... does leaving it at
> the default of "yes" /prevent/ FIPS 140-2 compliance mode, or mandate
it?
> Or does it do something else I'm not understanding?
>
> Basically, the q. is, what do you have to configure to ensure that
you're
> operating in a FIPS 140-2 compliant manner (at least, as the version of
> OpenSSL libs bundled understood it)? Do you have to specify ciphers
that
> are validated, etc.? Or just set that config option to "yes" ("no"?)?
>
> And how can one tell if the stunnel binary in use was compiled with FIPS
> support active? (I'm using the Windows 4.33 binary d/l'ed from
mirt.net).
If detected by ./configure, FIPS is enabled by default. You can disable
it with global option.
"stunnel -version" will tell you if it's compiled with FIPS support.
INSTALL.FIPS file distributed with stunnel should answer your remaining
questions:
FIPS support status:
- Unix platforms are currently supported.
- Win32 platform is currently unsupported due to some problems with
building and linking FIPS-enabled OpenSSL DLLs.
Unix HOWTO:
FIPS mode is autodetected if possible. You can force it with:
./configure --enable-fips
or disable with:
./configure --disable-fips
Preliminary WIN32 HOWTO (does NOT work, now):
- Download and install ActivePerl:
http://www.activestate.com/Products/activeperl/
- Download and install MinGW-5.1.3.exe:
http://www.mingw.org/download.shtml#hdr2
Also select "g++ compiler" for installation
- Download and install MSYS-1.0.10.exe:
http://www.mingw.org/download.shtml#hdr2
- Download OpenSSL FIPS:
http://www.openssl.org/source/openssl-fips-1.1.2.tar.gz
- Execute MSYS and unpack OpenSSL:
tar -xzf /c/downloads/openssl-fips-1.1.2.tar.gz
- Build the OpenSSL:
cd openssl-fips-1.1.2
./config fips
make
make install
cd /usr/local/ssl/lib
ar xv `gcc -print-libgcc-file-name` _chkstk.o _udivdi3.o _umoddi3.o
mkdir /c/fipscanister/
cp _* fips* /c/fipscanister/
exit
- Download and unpack OpenSSL 0.9.7m:
http://www.openssl.org/source/openssl-0.9.7m.tar.gz
- Download and install Visual C++ 2008 Express Edition:
http://www.microsoft.com/express/vc/
- Execute "Open Visual Studio 2008 Command Prompt" and build OpenSSL:
perl Configure VC-WIN32 fips --with-fipslibdir=c:\fipscanister
ms\do_ms
nmake -f ms\ntdll.mak
Best regards,
Michal Trojnara
More information about the stunnel-users
mailing list