[stunnel-users] FIPS compliant Stunnel build

Michael Curran mike_curran at hotmail.com
Thu Jul 24 01:40:36 CEST 2014


I have already requested the CD of software from OpenSSL -- that section does not really assist with the build functions. 
The FIPSDIR= option still did not allow Stunnel to autodiscover FIPS.h -- this is my openssl1.0.1h configure command 
openssl-fips-2.0.7 ./config ; make ; make install
openssl-1.0.1h./config fips --openssldir=/usr/local/openssl-100 --with-fipslibdir=/usr/local/ssl/fips-2.0/lib --with-fipsdir=/usr/local/ssl/fips-2.0/ ; make depend ; make ; make test ; make install
Stunnel5.02

I am not installling the newer copy of openssl to the rest of the system, just as libraries accessible to Stunnel for building with a version that is different than the OS installed openssl so as not to risk breaking ssh or OS Upgrade capabilities 
./configure --with-ssl=/usr/local/openssl-100 --disable-libwrap  ; make ; make install


During the Make phase it just says it cannot find fips.h but it says fips enabled -- but when I tell it to use FIPS I get 
checking whether to enable FIPS mode support... yesconfigure: **************************************** SSLchecking for SSL directory... /usr/local/openssl-100checking /usr/local/openssl-100/include/openssl/engine.h usability... yeschecking /usr/local/openssl-100/include/openssl/engine.h presence... yeschecking for /usr/local/openssl-100/include/openssl/engine.h... yeschecking /usr/local/openssl-100/include/openssl/ocsp.h usability... yeschecking /usr/local/openssl-100/include/openssl/ocsp.h presence... yeschecking for /usr/local/openssl-100/include/openssl/ocsp.h... yeschecking /usr/local/openssl-100/include/openssl/fips.h usability... nochecking /usr/local/openssl-100/include/openssl/fips.h presence... nochecking for /usr/local/openssl-100/include/openssl/fips.h... noconfigure: WARNING: OpenSSL fips header not foundconfigure: **************************************** write the resultsconfigure: creating ./config.status
Restarting Stunnel with fips=yes gives me this 
[!] FIPS_mode_set: F06D065: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported[!] Line 35: "[webapp]": Failed to initialize SSL

The TODO file in Stunnel5.02 tarball has this 
* Support static FIPS-enabled build.
Does this mean that it can only currently support a system that is fully fips enabled and not my static libraries that I use for building Stunnel? Thats what I get out of this.
And upon further reading of the INSTALL.FIPS file I confirm this 
Unix HOWTO:* Only dynamic linking of the FIPS-enabled OpenSSL is currently supported,  i.e. FIPS-enabled OpenSSL has to be configured with "shared" parameter.
I cannot install it with dynamic libraries as I am required to build via the actual instructions for FIPS 140-2 compliance which implicitly states I cannot call out shared as part of the config options.

Mike Curran
From: mike_curran at hotmail.com
To: nobody at dizum.com
Subject: RE: FIPS compliant Stunnel build
Date: Wed, 23 Jul 2014 17:34:08 -0500




I have already requested the CD of software from OpenSSL -- that section does not really assist with the build functions. 
The FIPSDIR= option still did not allow Stunnel to autodiscover FIPS.h -- this is my openssl1.0.1h configure command 
openssl-fips-2.0.7 ./config ; make ; make install
openssl-1.0.1h./config fips --openssldir=/usr/local/openssl-100 --with-fipslibdir=/usr/local/ssl/fips-2.0/lib --with-fipsdir=/usr/local/ssl/fips-2.0/ ; make depend ; make ; make test ; make install
Stunnel5.02

I am not installling the newer copy of openssl to the rest of the system, just as libraries accessible to Stunnel for building with a version that is different than the OS installed openssl so as not to risk breaking ssh or OS Upgrade capabilities 
./configure --with-ssl=/usr/local/openssl-100 --disable-libwrap  ; make ; make install


During the Make phase it just says it cannot find fips.h but it says fips enabled -- but when I tell it to use FIPS I get 
checking whether to enable FIPS mode support... yesconfigure: **************************************** SSLchecking for SSL directory... /usr/local/openssl-100checking /usr/local/openssl-100/include/openssl/engine.h usability... yeschecking /usr/local/openssl-100/include/openssl/engine.h presence... yeschecking for /usr/local/openssl-100/include/openssl/engine.h... yeschecking /usr/local/openssl-100/include/openssl/ocsp.h usability... yeschecking /usr/local/openssl-100/include/openssl/ocsp.h presence... yeschecking for /usr/local/openssl-100/include/openssl/ocsp.h... yeschecking /usr/local/openssl-100/include/openssl/fips.h usability... nochecking /usr/local/openssl-100/include/openssl/fips.h presence... nochecking for /usr/local/openssl-100/include/openssl/fips.h... noconfigure: WARNING: OpenSSL fips header not foundconfigure: **************************************** write the resultsconfigure: creating ./config.status
Restarting Stunnel with fips=yes gives me this 
[!] FIPS_mode_set: F06D065: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported[!] Line 35: "[webapp]": Failed to initialize SSL

The TODO file in Stunnel5.02 tarball has this 
* Support static FIPS-enabled build.
Does this mean that it can only currently support a system that is fully fips enabled and not my static libraries that I use for building Stunnel? Thats what I get out of this.
Mike Curran

> From: nobody at dizum.com
> To: mike_curran at hotmail.com
> Subject: Re: FIPS compliant Stunnel build
> Date: Thu, 24 Jul 2014 00:00:37 +0200
> 
> it IS possible...
> 
> use FIPSDIR environment variable -- 
> NOT any change to FIPS Object Module ./config command
> 
> BUT most important see:
> 
> 6.6 The "Secure Installation" Issue
> 
> of
> 
> User Guide for the OpenSSL FIPS Object Module v2.0
> (including v2.0.1, v2.0.2, v2.0.3, v2.0.4, v2.0.5, v2.0.6, v2.0.7)
> 
 		 	   		   		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20140723/064a7017/attachment.html>


More information about the stunnel-users mailing list