[stunnel-users] FIPS compliance
Michal.Trojnara at mirt.net
Tue Sep 21 16:44:24 CEST 2010
Bucci, David G wrote:
> The documentation on fips= seems ambiguous to me ... does leaving it at
> the default of "yes" /prevent/ FIPS 140-2 compliance mode, or mandate
> Or does it do something else I'm not understanding?
> Basically, the q. is, what do you have to configure to ensure that
> operating in a FIPS 140-2 compliant manner (at least, as the version of
> OpenSSL libs bundled understood it)? Do you have to specify ciphers
> are validated, etc.? Or just set that config option to "yes" ("no"?)?
> And how can one tell if the stunnel binary in use was compiled with FIPS
> support active? (I'm using the Windows 4.33 binary d/l'ed from
If detected by ./configure, FIPS is enabled by default. You can disable
it with global option.
"stunnel -version" will tell you if it's compiled with FIPS support.
INSTALL.FIPS file distributed with stunnel should answer your remaining
FIPS support status:
- Unix platforms are currently supported.
- Win32 platform is currently unsupported due to some problems with
building and linking FIPS-enabled OpenSSL DLLs.
FIPS mode is autodetected if possible. You can force it with:
or disable with:
Preliminary WIN32 HOWTO (does NOT work, now):
- Download and install ActivePerl:
- Download and install MinGW-5.1.3.exe:
Also select "g++ compiler" for installation
- Download and install MSYS-1.0.10.exe:
- Download OpenSSL FIPS:
- Execute MSYS and unpack OpenSSL:
tar -xzf /c/downloads/openssl-fips-1.1.2.tar.gz
- Build the OpenSSL:
ar xv `gcc -print-libgcc-file-name` _chkstk.o _udivdi3.o _umoddi3.o
cp _* fips* /c/fipscanister/
- Download and unpack OpenSSL 0.9.7m:
- Download and install Visual C++ 2008 Express Edition:
- Execute "Open Visual Studio 2008 Command Prompt" and build OpenSSL:
perl Configure VC-WIN32 fips --with-fipslibdir=c:\fipscanister
nmake -f ms\ntdll.mak
More information about the stunnel-users