[stunnel-users] FIPS compliant Stunnel build

Michal Trojnara Michal.Trojnara at mirt.net
Thu Jul 24 16:43:12 CEST 2014

Michael Curran wrote:
> I cannot install it with dynamic libraries as I am required to 
> build via the actual instructions for FIPS 140-2 compliance which 
> implicitly states I cannot call out shared as part of the config 
> options.

Please let me give you a high-level overview of building stunnel with
FIPS support.  The process consists of three steps:
1. You need to build the FIPS canister.  This canister contains all
the cryptographic operations operations allowed for use in FIPS mode.
2. You need to build OpenSSL shared libraries using the FIPS container
build in step (1).
3. You need to build stunnel with the OpenSSL libraries built in step (2).

The requirements for config options *only* apply to step (1).

You should verify step (2) with "openssl version".
The output should be something like:
    OpenSSL 1.0.1h-fips 5 Jun 2014
Please note "fips" in the OpenSSL version.

Then, you should verify step (3) with "stunnel -version".
The output should contain something like:
    Compiled/running with OpenSSL 1.0.1h-fips 5 Jun 2014
Please note "fips" in the OpenSSL version.

If you have both FIPS and non-FIPS OpenSSL libraries you should make
sure that the proper one is used.  On Linux you can do it either
globally using the /etc/ld.so.conf file, or within the current session
using the LD_LIBRARY_PATH environmental variable.

BTW: You can safely ignore the stunnel warning about fips.h.  The
recent versions of stunnel no longer directly use this file.
The warning will be removed in the next release of stunnel.


More information about the stunnel-users mailing list