[stunnel-users] 5.xx Windows binaries - FIPS compliant?

Michal Trojnara Michal.Trojnara at mirt.net
Wed Mar 25 15:15:37 CET 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 24.03.2015 18:08, Rob Lockhart wrote:
> That compiled version doesn't seem to be built with FIPS canister,
> as the log shows: "Compiled/running with OpenSSL 1.0.2a 19 Mar
> 2015" without a "-fips" appendage after the OpenSSL version. In
> other words, if it was built as FIPS-compliant, it would show: 
> "Compiled/running with OpenSSL 1.0.2a-fips 19 Mar 2015"

"-fips" would indeed have been reported if I had included OpenSSL
headers in a specific order.  Namely,
  #include <openssl/opensslconf.h>
needs to be before:
  #include <openssl/opensslv.h>
.  I will correct this issue in the next release of stunnel.

> It may support the FIPS options (in the config file) but it's not 
> FIPS-compliant.

Yes, it is.  It just does not report it properly.

> Specifically, FIPS-compliant does NOT imply that FIPS mode cannot
> be enabled. Am I understanding this correctly?

"fips = yes" option only works when OpenSSL is built with FIPS canister.
It is "compliant" when built according to the FIPS Security Policy:
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf
, where building with FIPS canister is the most basic requirement.

Thank you very much for reporting this issue!

Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVEsMJAAoJEC78f/DUFuAUurMP/0x22iuBxq7ch5LJlEb/nMXo
Fq357toWkGcXNF11o6arEXsCemmAE+muOwJ9WtIsYE+1a8pU6VAPMZA+msralQ1F
xjnYDEarBlmgmUEA+knvmvaVPBSiyQDl5pMptcKDZ1jErui2IsafrZRgd0IUhb/f
o+5wBh/oT2z5GaOAGKGMIswf03W9KUE5xv3IWdCQO4Usli/vK7jx6rd2tDde54j6
Vgh8uImNOxtycZLjMxhMiPwlFXG8XDXHZXkxFTwzVJdB+UTMgwZCDHayQEyunqsh
V2x4qL7EbWMrMZwzmRfu9HdaEZVMLm22HMgy1QjuISCZsmaq2wvCqM3IhAJYjvIL
uSxMuXE8bj4Hbr9naaPnDzWN0SdHHt80w4mVy//tIgimNB7nC5+hkZ4FyXCMusLD
WavLaM8SbARrwyq60F7VtkQFgInB2ucXltF8VDoNHKzDUMSG7ZHUY0cxst78xCT1
GFnLjrCnVBWOtlo/62dNj/uHd1Rkf55p1lDzOOQdaOqMpO5w070ATbIEq5GRARu3
MX9Ulo0JZEp/D3Y7ZlWkEzfSrmRzyl3VKvS9WEV809pAm1SF0Kr0tWduLWXfJbU/
o+VwSR4/dHp9vNxrcrkz7gqBfl3nx6DO1iy8ZoZNpHh2jKcEYk78VqSL11eHNfgX
iIaYh7Wia+6yWwX6DtVs
=CnaE
-----END PGP SIGNATURE-----


More information about the stunnel-users mailing list