[stunnel-users] Stunnel 4.56 and FIPS

mehmet ozisik mehmetzsk at gmail.com
Mon Jul 8 08:43:43 CEST 2013


Hi,

I was having same error on x86. Then I have read this and followed the
instructions written on this post, then it has worked successfully. Please
have a look at this :

http://www.mail-archive.com/openssl-users@openssl.org/msg68085.html

Regards
Mehmet


2013/7/8 Ondrej Hrebicek <ondrej at gmail.com>

> Hello stunnel users,
>
> I'm trying to compile stunnel 4.56 with FIPS support on Ubuntu 12.04.
> Always end up with the infamous "fingerprint does not match" error. I can't
> figure out what I'm doing wrong.
>
> 1. Download openssl-fips-2.0.2.tar.gz, unpack, ./config, make, and sudo
> make install (as specified in
> http://www.openssl.org/docs/fips/UserGuide-2.0.pdf)
>
> 2. Download openssl-1.0.1e.tar.gz, unpack, ./config fips
> --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/
> --with-fipsdir=/usr/local/ssl/fips-2.0/, make depend, make, and sudo make
> install
>
> 3. At this point, openssl is working in FIPS mode:
>     > OPENSSL_FIPS=1 /usr/local/ssl/bin/openssl version
>     OpenSSL 1.0.1e-fips 11 Feb 2013
>
>     > OPENSSL_FIPS=1 /usr/local/ssl/bin/openssl sha1 c_rehash
>     SHA1(c_rehash)= 5af9e1479950bbbd9d3304c181b3f802c54f64fd
>
>     > OPENSSL_FIPS=1 /usr/local/ssl/bin/openssl md5 c_rehash
>     Error setting digest md5
>     139806582736544:error:060A80A3:digital envelope
> routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:
>
> 4. Download stunnel-4.56.tar.gz, unpack, ./configure --enable-fips
> --with-ssl=/usr/local/ssl, make, and sudo make install
>
> 5. While configuring and building stunnel completes as expected, the
> following does appear in ./configure's output:
>
>     checking whether to enable FIPS mode support... yes
>     configure: **************************************** SSL
>     checking for SSL directory... /usr/local/ssl
>     checking /usr/local/ssl/include/openssl/engine.h usability... yes
>     checking /usr/local/ssl/include/openssl/engine.h presence... yes
>     checking for /usr/local/ssl/include/openssl/engine.h... yes
>     checking /usr/local/ssl/include/openssl/ocsp.h usability... yes
>     checking /usr/local/ssl/include/openssl/ocsp.h presence... yes
>     checking for /usr/local/ssl/include/openssl/ocsp.h... yes
>     checking /usr/local/ssl/include/openssl/fips.h usability... no
>     checking /usr/local/ssl/include/openssl/fips.h presence... no
>     checking for /usr/local/ssl/include/openssl/fips.h... no
>     configure: WARNING: OpenSSL fips header not found
>
> This is not entirely unexpected as fips.h only exists
> in /usr/local/ssl/fips-2.0/include/openssl.
>
> 6. Running stunnel however fails:
>
>     > /usr/local/bin/stunnel
>     Clients allowed=500
>     stunnel 4.56 on x86_64-unknown-linux-gnu platform
>     Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013
>     Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS
>     Reading configuration from file /usr/local/etc/stunnel/stunnel.conf
>     FIPS_mode_set: 2D06B06F: error:2D06B06F:FIPS
> routines:FIPS_check_incore_fingerprint:fingerprint does not match
>     Line 61: "[pop3s]": Failed to initialize SSL
>     str_stats: 5 block(s), 120 data byte(s), 290 control byte(s)
>
> I can't figure out what's causing this, hoping someone on the list may
> have a couple suggestions. Thanks in advance!
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130708/1dd85aa7/attachment.html>


More information about the stunnel-users mailing list