[stunnel-users] Need help building FIPS capable Stunnel for Windows CE

Michal Trojnara Michal.Trojnara at mirt.net
Wed Oct 17 21:50:28 CEST 2012


Robert Bao wrote:
> I am attempting to build a FIPS-capable Openssl for an XScale
> processor (ARMV4I) running under Windows CE 5.0 (using openssl-1.0.1c
> and openssl-fips-2.0.1), that was successful.
[cut]
> FIPS_mode_set: 2D06B06F: error:2D06B06F:FIPS
> routines:FIPS_check_incore_fingerprint:fingerprint does not match

I had this error (WIN32 build, but the build process is the same 
according to https://openssl.org/docs/fips/UserGuide-2.0.pdf) when my 
FIPS-capable OpenSSL was broken.  Although compilation phase reported 
success, the built-in FIPS tests failed.  Obviously stunnel was also 
unable to initialize FIPS mode.

What this error means is that in-memory image of the FIPS module was 
found to be different from the one acquired during the original build.  
In my case the problem was caused by the linker enabling ASLR by 
default.  Downgrading the compiler suite fixed the problem without 
violating FIPS policy 
(http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf), 
as ASLR is disabled in older linkers by default.

Mike




More information about the stunnel-users mailing list