[stunnel-users] Stunnel 4.56 and FIPS

Ondrej Hrebicek ondrej at gmail.com
Tue Jul 9 09:11:36 CEST 2013


Many thanks Mehmet. Compiling openssl with the "shared" option helped. That
resulted in the stunnel build process generating an stunnel executable that
dynamically linked to libcrypto.so. With this configuration, the FIPS
fingerprint is embedded in the shared library itself and the FIPS
self-verification step succeeds.

Without the "shared" option, stunnel was linking in libcrypto.a statically.
With this configuration, fipsld is needed to embed the FIPS fingerprint
into the stunnel executable at compile time. However, this does not appear
to be currently supported by the stunnel build process.

The reason openssl (application) worked in my examples below is that the
openssl build process does support FIPS in both configurations: as-is when
dynamically linked, and with fipsld when statically linked.


On Sun, Jul 7, 2013 at 11:43 PM, mehmet ozisik <mehmetzsk at gmail.com> wrote:

> Hi,
>
> I was having same error on x86. Then I have read this and followed the
> instructions written on this post, then it has worked successfully. Please
> have a look at this :
>
> http://www.mail-archive.com/openssl-users@openssl.org/msg68085.html
>
> Regards
> Mehmet
>
>
> 2013/7/8 Ondrej Hrebicek <ondrej at gmail.com>
>
>> Hello stunnel users,
>>
>> I'm trying to compile stunnel 4.56 with FIPS support on Ubuntu 12.04.
>> Always end up with the infamous "fingerprint does not match" error. I can't
>> figure out what I'm doing wrong.
>>
>> 1. Download openssl-fips-2.0.2.tar.gz, unpack, ./config, make, and sudo
>> make install (as specified in
>> http://www.openssl.org/docs/fips/UserGuide-2.0.pdf)
>>
>> 2. Download openssl-1.0.1e.tar.gz, unpack, ./config fips
>> --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/
>> --with-fipsdir=/usr/local/ssl/fips-2.0/, make depend, make, and sudo make
>> install
>>
>> 3. At this point, openssl is working in FIPS mode:
>>     > OPENSSL_FIPS=1 /usr/local/ssl/bin/openssl version
>>     OpenSSL 1.0.1e-fips 11 Feb 2013
>>
>>     > OPENSSL_FIPS=1 /usr/local/ssl/bin/openssl sha1 c_rehash
>>     SHA1(c_rehash)= 5af9e1479950bbbd9d3304c181b3f802c54f64fd
>>
>>     > OPENSSL_FIPS=1 /usr/local/ssl/bin/openssl md5 c_rehash
>>     Error setting digest md5
>>     139806582736544:error:060A80A3:digital envelope
>> routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:
>>
>> 4. Download stunnel-4.56.tar.gz, unpack, ./configure --enable-fips
>> --with-ssl=/usr/local/ssl, make, and sudo make install
>>
>> 5. While configuring and building stunnel completes as expected, the
>> following does appear in ./configure's output:
>>
>>     checking whether to enable FIPS mode support... yes
>>     configure: **************************************** SSL
>>     checking for SSL directory... /usr/local/ssl
>>     checking /usr/local/ssl/include/openssl/engine.h usability... yes
>>     checking /usr/local/ssl/include/openssl/engine.h presence... yes
>>     checking for /usr/local/ssl/include/openssl/engine.h... yes
>>     checking /usr/local/ssl/include/openssl/ocsp.h usability... yes
>>     checking /usr/local/ssl/include/openssl/ocsp.h presence... yes
>>     checking for /usr/local/ssl/include/openssl/ocsp.h... yes
>>     checking /usr/local/ssl/include/openssl/fips.h usability... no
>>     checking /usr/local/ssl/include/openssl/fips.h presence... no
>>     checking for /usr/local/ssl/include/openssl/fips.h... no
>>     configure: WARNING: OpenSSL fips header not found
>>
>> This is not entirely unexpected as fips.h only exists
>> in /usr/local/ssl/fips-2.0/include/openssl.
>>
>> 6. Running stunnel however fails:
>>
>>     > /usr/local/bin/stunnel
>>     Clients allowed=500
>>     stunnel 4.56 on x86_64-unknown-linux-gnu platform
>>     Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013
>>     Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS
>>     Reading configuration from file /usr/local/etc/stunnel/stunnel.conf
>>     FIPS_mode_set: 2D06B06F: error:2D06B06F:FIPS
>> routines:FIPS_check_incore_fingerprint:fingerprint does not match
>>     Line 61: "[pop3s]": Failed to initialize SSL
>>     str_stats: 5 block(s), 120 data byte(s), 290 control byte(s)
>>
>> I can't figure out what's causing this, hoping someone on the list may
>> have a couple suggestions. Thanks in advance!
>>
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org
>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20130709/5cfbb7fb/attachment.html>


More information about the stunnel-users mailing list