[stunnel-users] FIPS compliance

Michal Trojnara Michal.Trojnara at mirt.net
Tue Sep 21 16:44:24 CEST 2010 

Bucci, David G wrote:
> The documentation on fips= seems ambiguous to me ... does leaving it at
> the default of "yes" /prevent/ FIPS 140-2 compliance mode, or mandate
it? 
> Or does it do something else I'm not understanding?
> 
> Basically, the q. is, what do you have to configure to ensure that
you're
> operating in a FIPS 140-2 compliant manner (at least, as the version of
> OpenSSL libs bundled understood it)?  Do you have to specify ciphers
that
> are validated, etc.?  Or just set that config option to "yes" ("no"?)?
> 
> And how can one tell if the stunnel binary in use was compiled with FIPS
> support active?  (I'm using the Windows 4.33 binary d/l'ed from
mirt.net).

If detected by ./configure, FIPS is enabled by default.  You can disable
it with global option.

"stunnel -version" will tell you if it's compiled with FIPS support.

INSTALL.FIPS file distributed with stunnel should answer your remaining
questions:

FIPS support status:
- Unix platforms are currently supported.
- Win32 platform is currently unsupported due to some problems with
  building and linking FIPS-enabled OpenSSL DLLs.

Unix HOWTO:
FIPS mode is autodetected if possible.  You can force it with:
  ./configure --enable-fips
or disable with:
  ./configure --disable-fips

Preliminary WIN32 HOWTO (does NOT work, now):
- Download and install ActivePerl:
    http://www.activestate.com/Products/activeperl/
- Download and install MinGW-5.1.3.exe:
    http://www.mingw.org/download.shtml#hdr2
  Also select "g++ compiler" for installation
- Download and install MSYS-1.0.10.exe:
    http://www.mingw.org/download.shtml#hdr2
- Download OpenSSL FIPS:
    http://www.openssl.org/source/openssl-fips-1.1.2.tar.gz
- Execute MSYS and unpack OpenSSL:
    tar -xzf /c/downloads/openssl-fips-1.1.2.tar.gz
- Build the OpenSSL:
    cd openssl-fips-1.1.2
    ./config fips
    make
    make install
    cd /usr/local/ssl/lib
    ar xv `gcc -print-libgcc-file-name` _chkstk.o _udivdi3.o _umoddi3.o
    mkdir /c/fipscanister/
    cp _* fips* /c/fipscanister/
    exit
- Download and unpack OpenSSL 0.9.7m:
  http://www.openssl.org/source/openssl-0.9.7m.tar.gz
- Download and install Visual C++ 2008 Express Edition:
  http://www.microsoft.com/express/vc/
- Execute "Open Visual Studio 2008 Command Prompt" and build OpenSSL:
  perl Configure VC-WIN32 fips --with-fipslibdir=c:\fipscanister
  ms\do_ms
  nmake -f ms\ntdll.mak

Best regards,
    Michal Trojnara

More information about the stunnel-users mailing list