[stunnel-users] FIPS compliant Stunnel build
Michael Curran
mike_curran at hotmail.com
Thu Jul 24 01:40:36 CEST 2014
I have already requested the CD of software from OpenSSL -- that section does not really assist with the build functions.
The FIPSDIR= option still did not allow Stunnel to autodiscover FIPS.h -- this is my openssl1.0.1h configure command
openssl-fips-2.0.7 ./config ; make ; make install
openssl-1.0.1h./config fips --openssldir=/usr/local/openssl-100 --with-fipslibdir=/usr/local/ssl/fips-2.0/lib --with-fipsdir=/usr/local/ssl/fips-2.0/ ; make depend ; make ; make test ; make install
Stunnel5.02
I am not installling the newer copy of openssl to the rest of the system, just as libraries accessible to Stunnel for building with a version that is different than the OS installed openssl so as not to risk breaking ssh or OS Upgrade capabilities
./configure --with-ssl=/usr/local/openssl-100 --disable-libwrap ; make ; make install
During the Make phase it just says it cannot find fips.h but it says fips enabled -- but when I tell it to use FIPS I get
checking whether to enable FIPS mode support... yesconfigure: **************************************** SSLchecking for SSL directory... /usr/local/openssl-100checking /usr/local/openssl-100/include/openssl/engine.h usability... yeschecking /usr/local/openssl-100/include/openssl/engine.h presence... yeschecking for /usr/local/openssl-100/include/openssl/engine.h... yeschecking /usr/local/openssl-100/include/openssl/ocsp.h usability... yeschecking /usr/local/openssl-100/include/openssl/ocsp.h presence... yeschecking for /usr/local/openssl-100/include/openssl/ocsp.h... yeschecking /usr/local/openssl-100/include/openssl/fips.h usability... nochecking /usr/local/openssl-100/include/openssl/fips.h presence... nochecking for /usr/local/openssl-100/include/openssl/fips.h... noconfigure: WARNING: OpenSSL fips header not foundconfigure: **************************************** write the resultsconfigure: creating ./config.status
Restarting Stunnel with fips=yes gives me this
[!] FIPS_mode_set: F06D065: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported[!] Line 35: "[webapp]": Failed to initialize SSL
The TODO file in Stunnel5.02 tarball has this
* Support static FIPS-enabled build.
Does this mean that it can only currently support a system that is fully fips enabled and not my static libraries that I use for building Stunnel? Thats what I get out of this.
And upon further reading of the INSTALL.FIPS file I confirm this
Unix HOWTO:* Only dynamic linking of the FIPS-enabled OpenSSL is currently supported, i.e. FIPS-enabled OpenSSL has to be configured with "shared" parameter.
I cannot install it with dynamic libraries as I am required to build via the actual instructions for FIPS 140-2 compliance which implicitly states I cannot call out shared as part of the config options.
Mike Curran
From: mike_curran at hotmail.com
To: nobody at dizum.com
Subject: RE: FIPS compliant Stunnel build
Date: Wed, 23 Jul 2014 17:34:08 -0500
I have already requested the CD of software from OpenSSL -- that section does not really assist with the build functions.
The FIPSDIR= option still did not allow Stunnel to autodiscover FIPS.h -- this is my openssl1.0.1h configure command
openssl-fips-2.0.7 ./config ; make ; make install
openssl-1.0.1h./config fips --openssldir=/usr/local/openssl-100 --with-fipslibdir=/usr/local/ssl/fips-2.0/lib --with-fipsdir=/usr/local/ssl/fips-2.0/ ; make depend ; make ; make test ; make install
Stunnel5.02
I am not installling the newer copy of openssl to the rest of the system, just as libraries accessible to Stunnel for building with a version that is different than the OS installed openssl so as not to risk breaking ssh or OS Upgrade capabilities
./configure --with-ssl=/usr/local/openssl-100 --disable-libwrap ; make ; make install
During the Make phase it just says it cannot find fips.h but it says fips enabled -- but when I tell it to use FIPS I get
checking whether to enable FIPS mode support... yesconfigure: **************************************** SSLchecking for SSL directory... /usr/local/openssl-100checking /usr/local/openssl-100/include/openssl/engine.h usability... yeschecking /usr/local/openssl-100/include/openssl/engine.h presence... yeschecking for /usr/local/openssl-100/include/openssl/engine.h... yeschecking /usr/local/openssl-100/include/openssl/ocsp.h usability... yeschecking /usr/local/openssl-100/include/openssl/ocsp.h presence... yeschecking for /usr/local/openssl-100/include/openssl/ocsp.h... yeschecking /usr/local/openssl-100/include/openssl/fips.h usability... nochecking /usr/local/openssl-100/include/openssl/fips.h presence... nochecking for /usr/local/openssl-100/include/openssl/fips.h... noconfigure: WARNING: OpenSSL fips header not foundconfigure: **************************************** write the resultsconfigure: creating ./config.status
Restarting Stunnel with fips=yes gives me this
[!] FIPS_mode_set: F06D065: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported[!] Line 35: "[webapp]": Failed to initialize SSL
The TODO file in Stunnel5.02 tarball has this
* Support static FIPS-enabled build.
Does this mean that it can only currently support a system that is fully fips enabled and not my static libraries that I use for building Stunnel? Thats what I get out of this.
Mike Curran
> From: nobody at dizum.com
> To: mike_curran at hotmail.com
> Subject: Re: FIPS compliant Stunnel build
> Date: Thu, 24 Jul 2014 00:00:37 +0200
>
> it IS possible...
>
> use FIPSDIR environment variable --
> NOT any change to FIPS Object Module ./config command
>
> BUT most important see:
>
> 6.6 The "Secure Installation" Issue
>
> of
>
> User Guide for the OpenSSL FIPS Object Module v2.0
> (including v2.0.1, v2.0.2, v2.0.3, v2.0.4, v2.0.5, v2.0.6, v2.0.7)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20140723/064a7017/attachment.html>
More information about the stunnel-users
mailing list