[stunnel-users] stunnel with FIPS and SIGHUP

• Previous message (by thread): [stunnel-users] The verify=3 option in client mode
• Next message (by thread): [stunnel-users] stunnel with FIPS and SIGHUP
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

I am having difficulting when running stunnel in FIPS mode and using a
SIGHUP to get stunnel to re-read it's configuration file (for instance if
I've changed a port # or IP address for one of the connections).  This
causes stunnel to call the SSL routine FIPS_mode_set() a second time after
receiving the SIGHUP, which in turn attempts to reinitialize SSL.
 Unfortunately, OpenSSL does not support calling FIPS_mode_set(1) more than
once.  The initialization of SSL becomes incomplete as a result of the 2nd
call and subsequent attempts to use stunnel to establish encrypted
connections fail.

Does anyone have any suggestions on how I can make this work (besides
killing and restarting stunnel)?

If not, I have a proposed fix (and there are multiple ways that this could
be addressed).  Anyway, my suggestion is to add the following two lines to
the ssl_configure() function (found in the file "ssl.c"), right before the
current FIPS_mode_set() routine is called:

    FIPS_mode_set(0);
    RAND_set_rand_method(NULL);

The function currently looks like:

    int ssl_configure(void) { /* configure global SSL settings */
    #ifdef USE_FIPS
        if(!FIPS_mode_set(global_options.option.fips)) {
            ERR_load_crypto_strings();
            sslerror("FIPS_mode_set");
            return 0;
        }
        s_log(LOG_NOTICE, "FIPS mode %s",
            global_options.option.fips ? "enabled" : "disabled");
    #endif /* USE_FIPS */
        :
        :
    }

With the suggested fix, it would look as follows:

    int ssl_configure(void) { /* configure global SSL settings */
    #ifdef USE_FIPS
        FIPS_mode_set(0);
        RAND_set_rand_method(NULL);
        if(!FIPS_mode_set(global_options.option.fips)) {
            ERR_load_crypto_strings();
            sslerror("FIPS_mode_set");
            return 0;
        }
        s_log(LOG_NOTICE, "FIPS mode %s",
            global_options.option.fips ? "enabled" : "disabled");
    #endif /* USE_FIPS */
        :
        :
    }

Does the above seem reasonable.  Could this change, or some other
modification which would support using SIGHUP with FIPS, be considered for a
future stunnel update?

Thanks for your help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20110112/bb06d956/attachment.html>

• Previous message (by thread): [stunnel-users] The verify=3 option in client mode
• Next message (by thread): [stunnel-users] stunnel with FIPS and SIGHUP
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]