I have already requested the CD of software from OpenSSL -- that section does not really assist with the build functions.
The FIPSDIR= option still did not allow Stunnel to autodiscover FIPS.h -- this is my openssl1.0.1h configure command
openssl-fips-2.0.7
./config ; make ; make install
openssl-1.0.1h
./config fips --openssldir=/usr/local/openssl-100 --with-fipslibdir=/usr/local/ssl/fips-2.0/lib --with-fipsdir=/usr/local/ssl/fips-2.0/ ; make depend ; make ; make test ; make install
Stunnel5.02
I am not installling the newer copy of openssl to the rest of the system, just as libraries accessible to Stunnel for building with a version that is different than the OS installed openssl so as not to risk breaking ssh or OS Upgrade capabilities
./configure --with-ssl=/usr/local/openssl-100 --disable-libwrap ; make ; make install
During the Make phase it just says it cannot find fips.h but it says fips enabled -- but when I tell it to use FIPS I get
checking whether to enable FIPS mode support... yes
configure: **************************************** SSL
checking for SSL directory... /usr/local/openssl-100
checking /usr/local/openssl-100/include/openssl/engine.h usability... yes
checking /usr/local/openssl-100/include/openssl/engine.h presence... yes
checking for /usr/local/openssl-100/include/openssl/engine.h... yes
checking /usr/local/openssl-100/include/openssl/ocsp.h usability... yes
checking /usr/local/openssl-100/include/openssl/ocsp.h presence... yes
checking for /usr/local/openssl-100/include/openssl/ocsp.h... yes
checking /usr/local/openssl-100/include/openssl/fips.h usability... no
checking /usr/local/openssl-100/include/openssl/fips.h presence... no
checking for /usr/local/openssl-100/include/openssl/fips.h... no
configure: WARNING: OpenSSL fips header not found
configure: **************************************** write the results
configure: creating ./config.status
Restarting Stunnel with fips=yes gives me this
[!] FIPS_mode_set: F06D065: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported
[!] Line 35: "[webapp]": Failed to initialize SSL
The TODO file in Stunnel5.02 tarball has this
* Support static FIPS-enabled build.
Does this mean that it can only currently support a system that is fully fips enabled and not my static libraries that I use for building Stunnel? Thats what I get out of this.
And upon further reading of the INSTALL.FIPS file I confirm this
Unix HOWTO:
* Only dynamic linking of the FIPS-enabled OpenSSL is currently supported,
i.e. FIPS-enabled OpenSSL has to be configured with "shared" parameter.
I cannot install it with dynamic libraries as I am required to build via the actual instructions for FIPS 140-2 compliance which implicitly states I cannot call out shared as part of the config options.
Mike Curran
From:
[email protected]To:
[email protected]Subject: RE: FIPS compliant Stunnel build
Date: Wed, 23 Jul 2014 17:34:08 -0500
I have already requested the CD of software from OpenSSL -- that section does not really assist with the build functions.
The FIPSDIR= option still did not allow Stunnel to autodiscover FIPS.h -- this is my openssl1.0.1h configure command
openssl-fips-2.0.7
./config ; make ; make install
openssl-1.0.1h
./config fips --openssldir=/usr/local/openssl-100 --with-fipslibdir=/usr/local/ssl/fips-2.0/lib --with-fipsdir=/usr/local/ssl/fips-2.0/ ; make depend ; make ; make test ; make install
Stunnel5.02
I am not installling the newer copy of openssl to the rest of the system, just as libraries accessible to Stunnel for building with a version that is different than the OS installed openssl so as not to risk breaking ssh or OS Upgrade capabilities
./configure --with-ssl=/usr/local/openssl-100 --disable-libwrap ; make ; make install
During the Make phase it just says it cannot find fips.h but it says fips enabled -- but when I tell it to use FIPS I get
checking whether to enable FIPS mode support... yes
configure: **************************************** SSL
checking for SSL directory... /usr/local/openssl-100
checking /usr/local/openssl-100/include/openssl/engine.h usability... yes
checking /usr/local/openssl-100/include/openssl/engine.h presence... yes
checking for /usr/local/openssl-100/include/openssl/engine.h... yes
checking /usr/local/openssl-100/include/openssl/ocsp.h usability... yes
checking /usr/local/openssl-100/include/openssl/ocsp.h presence... yes
checking for /usr/local/openssl-100/include/openssl/ocsp.h... yes
checking /usr/local/openssl-100/include/openssl/fips.h usability... no
checking /usr/local/openssl-100/include/openssl/fips.h presence... no
checking for /usr/local/openssl-100/include/openssl/fips.h... no
configure: WARNING: OpenSSL fips header not found
configure: **************************************** write the results
configure: creating ./config.status
Restarting Stunnel with fips=yes gives me this
[!] FIPS_mode_set: F06D065: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported
[!] Line 35: "[webapp]": Failed to initialize SSL
The TODO file in Stunnel5.02 tarball has this
* Support static FIPS-enabled build.
Does this mean that it can only currently support a system that is fully fips enabled and not my static libraries that I use for building Stunnel? Thats what I get out of this.
Mike Curran
> From:
[email protected]> To:
[email protected]> Subject: Re: FIPS compliant Stunnel build
> Date: Thu, 24 Jul 2014 00:00:37 +0200
>
> it IS possible...
>
> use FIPSDIR environment variable --
> NOT any change to FIPS Object Module ./config command
>
> BUT most important see:
>
> 6.6 The "Secure Installation" Issue
>
> of
>
> User Guide for the OpenSSL FIPS Object Module v2.0
> (including v2.0.1, v2.0.2, v2.0.3, v2.0.4, v2.0.5, v2.0.6, v2.0.7)
>