-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Eric Lambert wrote:
With the suggested fix, it would look as follows:
int ssl_configure(void) { /* configure global SSL settings */ #ifdef USE_FIPS FIPS_mode_set(0); RAND_set_rand_method(NULL); if(!FIPS_mode_set(global_options.option.fips)) { ERR_load_crypto_strings(); sslerror("FIPS_mode_set"); return 0; } s_log(LOG_NOTICE, "FIPS mode %s", global_options.option.fips ? "enabled" : "disabled"); #endif /* USE_FIPS */ : : }
Does the above seem reasonable. Could this change, or some other modification which would support using SIGHUP with FIPS, be considered for a future stunnel update?
What about: #ifdef USE_FIPS if(FIPS_mode()!=global_options.option.fips) { RAND_set_rand_method(NULL); /* reset RAND methods */ if(!FIPS_mode_set(global_options.option.fips)) { ERR_load_crypto_strings(); sslerror("FIPS_mode_set"); return 0; } s_log(LOG_NOTICE, "FIPS mode %s", global_options.option.fips ? "enabled" : "disabled"); } #endif /* USE_FIPS */ ? Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAk0x9V8ACgkQ/NU+nXTHMtHadQCgyoxGzwuGW8GbDqTu9DCqyba4 WbcAoKIw/zrddw9HUoAR519n281oXbJt =oxtU -----END PGP SIGNATURE-----