[stunnel-users] Need help building FIPS capable Stunnel for Windows CE
Michal Trojnara
Michal.Trojnara at mirt.net
Wed Oct 17 21:50:28 CEST 2012
Robert Bao wrote:
> I am attempting to build a FIPS-capable Openssl for an XScale
> processor (ARMV4I) running under Windows CE 5.0 (using openssl-1.0.1c
> and openssl-fips-2.0.1), that was successful.
[cut]
> FIPS_mode_set: 2D06B06F: error:2D06B06F:FIPS
> routines:FIPS_check_incore_fingerprint:fingerprint does not match
I had this error (WIN32 build, but the build process is the same
according to https://openssl.org/docs/fips/UserGuide-2.0.pdf) when my
FIPS-capable OpenSSL was broken. Although compilation phase reported
success, the built-in FIPS tests failed. Obviously stunnel was also
unable to initialize FIPS mode.
What this error means is that in-memory image of the FIPS module was
found to be different from the one acquired during the original build.
In my case the problem was caused by the linker enabling ASLR by
default. Downgrading the compiler suite fixed the problem without
violating FIPS policy
(http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf),
as ASLR is disabled in older linkers by default.
Mike
More information about the stunnel-users
mailing list