I have already requested the CD of software from OpenSSL -- that section does not really assist with the build functions. The FIPSDIR= option still did not allow Stunnel to autodiscover FIPS.h -- this is my openssl1.0.1h configure command openssl-fips-2.0.7 ./config ; make ; make install openssl-1.0.1h./config fips --openssldir=/usr/local/openssl-100 --with-fipslibdir=/usr/local/ssl/fips-2.0/lib --with-fipsdir=/usr/local/ssl/fips-2.0/ ; make depend ; make ; make test ; make install Stunnel5.02
I am not installling the newer copy of openssl to the rest of the system, just as libraries accessible to Stunnel for building with a version that is different than the OS installed openssl so as not to risk breaking ssh or OS Upgrade capabilities ./configure --with-ssl=/usr/local/openssl-100 --disable-libwrap ; make ; make install During the Make phase it just says it cannot find fips.h but it says fips enabled -- but when I tell it to use FIPS I get checking whether to enable FIPS mode support... yesconfigure: **************************************** SSLchecking for SSL directory... /usr/local/openssl-100checking /usr/local/openssl-100/include/openssl/engine.h usability... yeschecking /usr/local/openssl-100/include/openssl/engine.h presence... yeschecking for /usr/local/openssl-100/include/openssl/engine.h... yeschecking /usr/local/openssl-100/include/openssl/ocsp.h usability... yeschecking /usr/local/openssl-100/include/openssl/ocsp.h presence... yeschecking for /usr/local/openssl-100/include/openssl/ocsp.h... yeschecking /usr/local/openssl-100/include/openssl/fips.h usability... nochecking /usr/local/openssl-100/include/openssl/fips.h presence... nochecking for /usr/local/openssl-100/include/openssl/fips.h... noconfigure: WARNING: OpenSSL fips header not foundconfigure: **************************************** write the resultsconfigure: creating ./config.status Restarting Stunnel with fips=yes gives me this [!] FIPS_mode_set: F06D065: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported[!] Line 35: "[webapp]": Failed to initialize SSL The TODO file in Stunnel5.02 tarball has this * Support static FIPS-enabled build. Does this mean that it can only currently support a system that is fully fips enabled and not my static libraries that I use for building Stunnel? Thats what I get out of this. And upon further reading of the INSTALL.FIPS file I confirm this Unix HOWTO:* Only dynamic linking of the FIPS-enabled OpenSSL is currently supported, i.e. FIPS-enabled OpenSSL has to be configured with "shared" parameter. I cannot install it with dynamic libraries as I am required to build via the actual instructions for FIPS 140-2 compliance which implicitly states I cannot call out shared as part of the config options. Mike Curran From: [email protected] To: [email protected] Subject: RE: FIPS compliant Stunnel build Date: Wed, 23 Jul 2014 17:34:08 -0500 I have already requested the CD of software from OpenSSL -- that section does not really assist with the build functions. The FIPSDIR= option still did not allow Stunnel to autodiscover FIPS.h -- this is my openssl1.0.1h configure command openssl-fips-2.0.7 ./config ; make ; make install openssl-1.0.1h./config fips --openssldir=/usr/local/openssl-100 --with-fipslibdir=/usr/local/ssl/fips-2.0/lib --with-fipsdir=/usr/local/ssl/fips-2.0/ ; make depend ; make ; make test ; make install Stunnel5.02 I am not installling the newer copy of openssl to the rest of the system, just as libraries accessible to Stunnel for building with a version that is different than the OS installed openssl so as not to risk breaking ssh or OS Upgrade capabilities ./configure --with-ssl=/usr/local/openssl-100 --disable-libwrap ; make ; make install During the Make phase it just says it cannot find fips.h but it says fips enabled -- but when I tell it to use FIPS I get checking whether to enable FIPS mode support... yesconfigure: **************************************** SSLchecking for SSL directory... /usr/local/openssl-100checking /usr/local/openssl-100/include/openssl/engine.h usability... yeschecking /usr/local/openssl-100/include/openssl/engine.h presence... yeschecking for /usr/local/openssl-100/include/openssl/engine.h... yeschecking /usr/local/openssl-100/include/openssl/ocsp.h usability... yeschecking /usr/local/openssl-100/include/openssl/ocsp.h presence... yeschecking for /usr/local/openssl-100/include/openssl/ocsp.h... yeschecking /usr/local/openssl-100/include/openssl/fips.h usability... nochecking /usr/local/openssl-100/include/openssl/fips.h presence... nochecking for /usr/local/openssl-100/include/openssl/fips.h... noconfigure: WARNING: OpenSSL fips header not foundconfigure: **************************************** write the resultsconfigure: creating ./config.status Restarting Stunnel with fips=yes gives me this [!] FIPS_mode_set: F06D065: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported[!] Line 35: "[webapp]": Failed to initialize SSL The TODO file in Stunnel5.02 tarball has this * Support static FIPS-enabled build. Does this mean that it can only currently support a system that is fully fips enabled and not my static libraries that I use for building Stunnel? Thats what I get out of this. Mike Curran > From: [email protected] > To: [email protected] > Subject: Re: FIPS compliant Stunnel build > Date: Thu, 24 Jul 2014 00:00:37 +0200 > > it IS possible... > > use FIPSDIR environment variable -- > NOT any change to FIPS Object Module ./config command > > BUT most important see: > > 6.6 The "Secure Installation" Issue > > of > > User Guide for the OpenSSL FIPS Object Module v2.0 > (including v2.0.1, v2.0.2, v2.0.3, v2.0.4, v2.0.5, v2.0.6, v2.0.7) >
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
