[stunnel-users] Modifying STunnel to use OpenSSL FIPS

• Previous message (by thread): [stunnel-users] socket closed after SSL_write
• Next message (by thread): [stunnel-users] Modifying STunnel to use OpenSSL FIPS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

As part of an internal project at work, I'm investigating a Windows
tunneling solution using STunnel.  As a requirement of my work, I am
to modify STunnel to use OpenSSL's FIPS APIs.  And, with only a couple
of speedbumps, I was able to achieve this.

However I'd like to make my code a little more robust--to provide some
notification to the user if OpenSSL's FIPS mode is active or not.  To
this point I've not been able to figure out a way to do this.  In my
copy of the STunnel source, I've modified the routine ssl_init() in
ssl.c to make a call to FIPS_mode_set(1) (as demonstrated on page 33
of http://www.openssl.org/docs/fips/UserGuide-1.0.pdf).  Below is a
copy of my current copy of ssl_init():

void ssl_init(void) { /* to keep CLI structure for verify callback */
#if defined(OPENSSL_FIPS) && defined(USE_FIPS)
   if (!FIPS_mode_set(1))
   {
      s_log(LOG_CRIT, "Could not set FIPS mdoe!");
   }
   else
   {
      s_log(LOG_INFO, "In FIPS mode.");
   }
#endif
   /* rest of ssl_init() from original source */
}

As I've found out, the s_log calls do nothing because the STunnel
window has not been displayed yet.  Ideally, in the case where the
FIPS_mode_set() call fails, I'd like to invoke an error handler to
cause the STunnel service to fail to start.  But trying to make a call
to something like sslerror() caused a program crash.  Any ideas on how
to make these changes?

• Previous message (by thread): [stunnel-users] socket closed after SSL_write
• Next message (by thread): [stunnel-users] Modifying STunnel to use OpenSSL FIPS
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]