[stunnel-users] 5.xx Windows binaries - FIPS compliant?
rlockhar at gmail.com
Mon Mar 30 22:42:35 CEST 2015
On Wed, Mar 25, 2015 at 10:15 AM, Michal Trojnara
<Michal.Trojnara at mirt.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> On 24.03.2015 18:08, Rob Lockhart wrote:
>> That compiled version doesn't seem to be built with FIPS canister,
>> as the log shows: "Compiled/running with OpenSSL 1.0.2a 19 Mar
>> 2015" without a "-fips" appendage after the OpenSSL version. In
>> other words, if it was built as FIPS-compliant, it would show:
>> "Compiled/running with OpenSSL 1.0.2a-fips 19 Mar 2015"
> "-fips" would indeed have been reported if I had included OpenSSL
> headers in a specific order. Namely,
> #include <openssl/opensslconf.h>
> needs to be before:
> #include <openssl/opensslv.h>
> . I will correct this issue in the next release of stunnel.
>> It may support the FIPS options (in the config file) but it's not
> Yes, it is. It just does not report it properly.
>> Specifically, FIPS-compliant does NOT imply that FIPS mode cannot
>> be enabled. Am I understanding this correctly?
> "fips = yes" option only works when OpenSSL is built with FIPS canister.
> It is "compliant" when built according to the FIPS Security Policy:
> , where building with FIPS canister is the most basic requirement.
> Thank you very much for reporting this issue!
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> -----END PGP SIGNATURE-----
Thanks for your follow-up; I assumed that it was a cosmetic error and
not a build issue too after seeing that "openssl.exe" was included in
the install directory. Running "openssl.exe version" in a CMD prompt
showed the "-fips" appendage.
Thanks for fixing stunnel!
More information about the stunnel-users