[stunnel-users] 5.xx Windows binaries - FIPS compliant?
Michal.Trojnara at mirt.net
Wed Mar 25 15:15:37 CET 2015
-----BEGIN PGP SIGNED MESSAGE-----
On 24.03.2015 18:08, Rob Lockhart wrote:
> That compiled version doesn't seem to be built with FIPS canister,
> as the log shows: "Compiled/running with OpenSSL 1.0.2a 19 Mar
> 2015" without a "-fips" appendage after the OpenSSL version. In
> other words, if it was built as FIPS-compliant, it would show:
> "Compiled/running with OpenSSL 1.0.2a-fips 19 Mar 2015"
"-fips" would indeed have been reported if I had included OpenSSL
headers in a specific order. Namely,
needs to be before:
. I will correct this issue in the next release of stunnel.
> It may support the FIPS options (in the config file) but it's not
Yes, it is. It just does not report it properly.
> Specifically, FIPS-compliant does NOT imply that FIPS mode cannot
> be enabled. Am I understanding this correctly?
"fips = yes" option only works when OpenSSL is built with FIPS canister.
It is "compliant" when built according to the FIPS Security Policy:
, where building with FIPS canister is the most basic requirement.
Thank you very much for reporting this issue!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
-----END PGP SIGNATURE-----
More information about the stunnel-users