[stunnel-users] 5.xx Windows binaries - FIPS compliant?

• Previous message (by thread): [stunnel-users] 5.xx Windows binaries - FIPS compliant?
• Next message (by thread): [stunnel-users] Multiple versions of TLS in config?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Mar 25, 2015 at 10:15 AM, Michal Trojnara
<Michal.Trojnara at mirt.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 24.03.2015 18:08, Rob Lockhart wrote:
>> That compiled version doesn't seem to be built with FIPS canister,
>> as the log shows: "Compiled/running with OpenSSL 1.0.2a 19 Mar
>> 2015" without a "-fips" appendage after the OpenSSL version. In
>> other words, if it was built as FIPS-compliant, it would show:
>> "Compiled/running with OpenSSL 1.0.2a-fips 19 Mar 2015"
>
> "-fips" would indeed have been reported if I had included OpenSSL
> headers in a specific order.  Namely,
>   #include <openssl/opensslconf.h>
> needs to be before:
>   #include <openssl/opensslv.h>
> .  I will correct this issue in the next release of stunnel.
>
>> It may support the FIPS options (in the config file) but it's not
>> FIPS-compliant.
>
> Yes, it is.  It just does not report it properly.
>
>> Specifically, FIPS-compliant does NOT imply that FIPS mode cannot
>> be enabled. Am I understanding this correctly?
>
> "fips = yes" option only works when OpenSSL is built with FIPS canister.
> It is "compliant" when built according to the FIPS Security Policy:
> http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf
> , where building with FIPS canister is the most basic requirement.
>
> Thank you very much for reporting this issue!
>
> Mike
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iQIcBAEBAgAGBQJVEsMJAAoJEC78f/DUFuAUurMP/0x22iuBxq7ch5LJlEb/nMXo
> Fq357toWkGcXNF11o6arEXsCemmAE+muOwJ9WtIsYE+1a8pU6VAPMZA+msralQ1F
> xjnYDEarBlmgmUEA+knvmvaVPBSiyQDl5pMptcKDZ1jErui2IsafrZRgd0IUhb/f
> o+5wBh/oT2z5GaOAGKGMIswf03W9KUE5xv3IWdCQO4Usli/vK7jx6rd2tDde54j6
> Vgh8uImNOxtycZLjMxhMiPwlFXG8XDXHZXkxFTwzVJdB+UTMgwZCDHayQEyunqsh
> V2x4qL7EbWMrMZwzmRfu9HdaEZVMLm22HMgy1QjuISCZsmaq2wvCqM3IhAJYjvIL
> uSxMuXE8bj4Hbr9naaPnDzWN0SdHHt80w4mVy//tIgimNB7nC5+hkZ4FyXCMusLD
> WavLaM8SbARrwyq60F7VtkQFgInB2ucXltF8VDoNHKzDUMSG7ZHUY0cxst78xCT1
> GFnLjrCnVBWOtlo/62dNj/uHd1Rkf55p1lDzOOQdaOqMpO5w070ATbIEq5GRARu3
> MX9Ulo0JZEp/D3Y7ZlWkEzfSrmRzyl3VKvS9WEV809pAm1SF0Kr0tWduLWXfJbU/
> o+VwSR4/dHp9vNxrcrkz7gqBfl3nx6DO1iy8ZoZNpHh2jKcEYk78VqSL11eHNfgX
> iIaYh7Wia+6yWwX6DtVs
> =CnaE
> -----END PGP SIGNATURE-----

Thanks for your follow-up; I assumed that it was a cosmetic error and
not a build issue too after seeing that "openssl.exe" was included in
the install directory. Running "openssl.exe version" in a CMD prompt
showed the "-fips" appendage.
Thanks for fixing stunnel!

 -Rob

• Previous message (by thread): [stunnel-users] 5.xx Windows binaries - FIPS compliant?
• Next message (by thread): [stunnel-users] Multiple versions of TLS in config?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]