[stunnel-users] Need help building FIPS capable Stunnel forWindows CE
Bao, Robert
rbao at tycoint.com
Thu Oct 18 17:08:47 CEST 2012
Hi Mike,
Thanks a lot for your reply and help.
According to the engineer who actually is trying to make this work for
our WinCE environment, the way you resolved your problem is for a native
Windows environment that unfortunately doesn't apply to our
cross-compile build (for WinCE).
Best regards,
Robert
-----Original Message-----
From: stunnel-users-bounces at stunnel.org
[mailto:stunnel-users-bounces at stunnel.org] On Behalf Of Michal Trojnara
Sent: Wednesday, October 17, 2012 3:50 PM
To: stunnel-users at stunnel.org
Subject: Re: [stunnel-users] Need help building FIPS capable Stunnel
forWindows CE
Robert Bao wrote:
> I am attempting to build a FIPS-capable Openssl for an XScale
> processor (ARMV4I) running under Windows CE 5.0 (using openssl-1.0.1c
> and openssl-fips-2.0.1), that was successful.
[cut]
> FIPS_mode_set: 2D06B06F: error:2D06B06F:FIPS
> routines:FIPS_check_incore_fingerprint:fingerprint does not match
I had this error (WIN32 build, but the build process is the same
according to https://openssl.org/docs/fips/UserGuide-2.0.pdf) when my
FIPS-capable OpenSSL was broken. Although compilation phase reported
success, the built-in FIPS tests failed. Obviously stunnel was also
unable to initialize FIPS mode.
What this error means is that in-memory image of the FIPS module was
found to be different from the one acquired during the original build.
In my case the problem was caused by the linker enabling ASLR by
default. Downgrading the compiler suite fixed the problem without
violating FIPS policy
(http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pd
f),
as ASLR is disabled in older linkers by default.
Mike
_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
More information about the stunnel-users
mailing list