<div dir="ltr">Hi,<div><br></div><div style>I was having same error on x86. Then I have read this and followed the instructions written on this post, then it has worked successfully. Please have a look at this :</div><div style>
<br></div><div style><a href="http://www.mail-archive.com/openssl-users@openssl.org/msg68085.html">http://www.mail-archive.com/openssl-users@openssl.org/msg68085.html</a><br></div><div style><br></div><div style>Regards</div>
<div style>Mehmet</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/7/8 Ondrej Hrebicek <span dir="ltr"><<a href="mailto:ondrej@gmail.com" target="_blank">ondrej@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">Hello stunnel users,</span><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">

I'm trying to compile stunnel 4.56 with FIPS support on Ubuntu 12.04. Always end up with the infamous "fingerprint does not match" error. I can't figure out what I'm doing wrong.</div><div style="font-family:arial,sans-serif;font-size:13px">

<br></div><div style="font-family:arial,sans-serif;font-size:13px">1. Download openssl-fips-2.0.2.tar.gz, unpack, ./config, make, and sudo make install (as specified in <a href="http://www.openssl.org/docs/fips/UserGuide-2.0.pdf" target="_blank">http://www.openssl.org/docs/fips/UserGuide-2.0.pdf</a>)</div>

<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">2. Download openssl-1.0.1e.tar.gz, unpack, ./config fips --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/ --with-fipsdir=/usr/local/ssl/fips-2.0/, make depend, make, and sudo make install</div>

<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">3. At this point, openssl is working in FIPS mode:</div><div style="font-family:arial,sans-serif;font-size:13px">

    > OPENSSL_FIPS=1 /usr/local/ssl/bin/openssl version</div><div style="font-family:arial,sans-serif;font-size:13px">    OpenSSL 1.0.1e-fips 11 Feb 2013</div><div style="font-family:arial,sans-serif;font-size:13px"><br>

</div><div style="font-family:arial,sans-serif;font-size:13px">    > OPENSSL_FIPS=1 /usr/local/ssl/bin/openssl sha1 c_rehash</div><div style="font-family:arial,sans-serif;font-size:13px">    SHA1(c_rehash)= 5af9e1479950bbbd9d3304c181b3f802c54f64fd</div>

<div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">    > OPENSSL_FIPS=1 /usr/local/ssl/bin/openssl md5 c_rehash</div><div style="font-family:arial,sans-serif;font-size:13px">

    Error setting digest md5</div><div style="font-family:arial,sans-serif;font-size:13px">    139806582736544:error:060A80A3:digital envelope routines:FIPS_DIGESTINIT:disabled for fips:fips_md.c:180:</div><div style="font-family:arial,sans-serif;font-size:13px">

<br></div><div style="font-family:arial,sans-serif;font-size:13px">4. Download stunnel-4.56.tar.gz, unpack, ./configure --enable-fips --with-ssl=/usr/local/ssl, make, and sudo make install</div><div style="font-family:arial,sans-serif;font-size:13px">

<br></div><div style="font-family:arial,sans-serif;font-size:13px">5. While configuring and building stunnel completes as expected, the following does appear in ./configure's output:</div><div style="font-family:arial,sans-serif;font-size:13px">

<br></div><div style="font-family:arial,sans-serif;font-size:13px"><div>    checking whether to enable FIPS mode support... yes</div><div>    configure: **************************************** SSL</div><div>    checking for SSL directory... /usr/local/ssl</div>

<div>    checking /usr/local/ssl/include/openssl/engine.h usability... yes</div><div>    checking /usr/local/ssl/include/openssl/engine.h presence... yes</div><div>    checking for /usr/local/ssl/include/openssl/engine.h... yes</div>

<div>    checking /usr/local/ssl/include/openssl/ocsp.h usability... yes</div><div>    checking /usr/local/ssl/include/openssl/ocsp.h presence... yes</div><div>    checking for /usr/local/ssl/include/openssl/ocsp.h... yes</div>

<div>    checking /usr/local/ssl/include/openssl/fips.h usability... no</div><div>    checking /usr/local/ssl/include/openssl/fips.h presence... no</div><div>    checking for /usr/local/ssl/include/openssl/fips.h... no</div>

<div>    configure: WARNING: OpenSSL fips header not found</div><div><br></div><div>This is not entirely unexpected as fips.h only exists in /usr/local/ssl/fips-2.0/include/openssl.</div><div><br></div><div>6. Running stunnel however fails:</div>

<div><br></div><div>    > /usr/local/bin/stunnel</div><div>    Clients allowed=500</div><div>    stunnel 4.56 on x86_64-unknown-linux-gnu platform</div><div>    Compiled/running with OpenSSL 1.0.1e-fips 11 Feb 2013</div>

<div>    Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS</div><div>    Reading configuration from file /usr/local/etc/stunnel/stunnel.conf</div><div>    FIPS_mode_set: 2D06B06F: error:2D06B06F:FIPS routines:FIPS_check_incore_fingerprint:fingerprint does not match</div>

<div>    Line 61: "[pop3s]": Failed to initialize SSL</div><div>    str_stats: 5 block(s), 120 data byte(s), 290 control byte(s)</div><div><br></div><div>I can't figure out what's causing this, hoping someone on the list may have a couple suggestions. Thanks in advance!</div>

</div></div>
<br>_______________________________________________<br>
stunnel-users mailing list<br>
<a href="mailto:stunnel-users@stunnel.org">stunnel-users@stunnel.org</a><br>
<a href="https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users" target="_blank">https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users</a><br>
<br></blockquote></div><br></div>