[stunnel-users] stunnel with FIPS and SIGHUP

Michal Trojnara Michal.Trojnara at mirt.net
Sat Jan 15 20:28:30 CET 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eric Lambert wrote:
> With the suggested fix, it would look as follows:
>
>     int ssl_configure(void) { /* configure global SSL settings */
>     #ifdef USE_FIPS
>         FIPS_mode_set(0);
>         RAND_set_rand_method(NULL);
>         if(!FIPS_mode_set(global_options.option.fips)) {
>             ERR_load_crypto_strings();
>             sslerror("FIPS_mode_set");
>             return 0;
>         }
>         s_log(LOG_NOTICE, "FIPS mode %s",
>             global_options.option.fips ? "enabled" : "disabled");
>     #endif /* USE_FIPS */
>         :
>         :
>     }
>
> Does the above seem reasonable.  Could this change, or some other  
> modification which would support using SIGHUP with FIPS, be  
> considered for a future stunnel update?

What about:

#ifdef USE_FIPS
     if(FIPS_mode()!=global_options.option.fips) {
         RAND_set_rand_method(NULL); /* reset RAND methods */
         if(!FIPS_mode_set(global_options.option.fips)) {
             ERR_load_crypto_strings();
             sslerror("FIPS_mode_set");
             return 0;
         }
         s_log(LOG_NOTICE, "FIPS mode %s",
             global_options.option.fips ? "enabled" : "disabled");
     }
#endif /* USE_FIPS */

?

Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAk0x9V8ACgkQ/NU+nXTHMtHadQCgyoxGzwuGW8GbDqTu9DCqyba4
WbcAoKIw/zrddw9HUoAR519n281oXbJt
=oxtU
-----END PGP SIGNATURE-----



More information about the stunnel-users mailing list