On Wed, Mar 25, 2015 at 10:15 AM, Michal Trojnara <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 24.03.2015 18:08, Rob Lockhart wrote: >> That compiled version doesn't seem to be built with FIPS canister, >> as the log shows: "Compiled/running with OpenSSL 1.0.2a 19 Mar >> 2015" without a "-fips" appendage after the OpenSSL version. In >> other words, if it was built as FIPS-compliant, it would show: >> "Compiled/running with OpenSSL 1.0.2a-fips 19 Mar 2015" > > "-fips" would indeed have been reported if I had included OpenSSL > headers in a specific order. Namely, > #include <openssl/opensslconf.h> > needs to be before: > #include <openssl/opensslv.h> > . I will correct this issue in the next release of stunnel. > >> It may support the FIPS options (in the config file) but it's not >> FIPS-compliant. > > Yes, it is. It just does not report it properly. > >> Specifically, FIPS-compliant does NOT imply that FIPS mode cannot >> be enabled. Am I understanding this correctly? > > "fips = yes" option only works when OpenSSL is built with FIPS canister. > It is "compliant" when built according to the FIPS Security Policy: > http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp1747.pdf > , where building with FIPS canister is the most basic requirement. > > Thank you very much for reporting this issue! > > Mike > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iQIcBAEBAgAGBQJVEsMJAAoJEC78f/DUFuAUurMP/0x22iuBxq7ch5LJlEb/nMXo > Fq357toWkGcXNF11o6arEXsCemmAE+muOwJ9WtIsYE+1a8pU6VAPMZA+msralQ1F > xjnYDEarBlmgmUEA+knvmvaVPBSiyQDl5pMptcKDZ1jErui2IsafrZRgd0IUhb/f > o+5wBh/oT2z5GaOAGKGMIswf03W9KUE5xv3IWdCQO4Usli/vK7jx6rd2tDde54j6 > Vgh8uImNOxtycZLjMxhMiPwlFXG8XDXHZXkxFTwzVJdB+UTMgwZCDHayQEyunqsh > V2x4qL7EbWMrMZwzmRfu9HdaEZVMLm22HMgy1QjuISCZsmaq2wvCqM3IhAJYjvIL > uSxMuXE8bj4Hbr9naaPnDzWN0SdHHt80w4mVy//tIgimNB7nC5+hkZ4FyXCMusLD > WavLaM8SbARrwyq60F7VtkQFgInB2ucXltF8VDoNHKzDUMSG7ZHUY0cxst78xCT1 > GFnLjrCnVBWOtlo/62dNj/uHd1Rkf55p1lDzOOQdaOqMpO5w070ATbIEq5GRARu3 > MX9Ulo0JZEp/D3Y7ZlWkEzfSrmRzyl3VKvS9WEV809pAm1SF0Kr0tWduLWXfJbU/ > o+VwSR4/dHp9vNxrcrkz7gqBfl3nx6DO1iy8ZoZNpHh2jKcEYk78VqSL11eHNfgX > iIaYh7Wia+6yWwX6DtVs > =CnaE > -----END PGP SIGNATURE-----
Thanks for your follow-up; I assumed that it was a cosmetic error and not a build issue too after seeing that "openssl.exe" was included in the install directory. Running "openssl.exe version" in a CMD prompt showed the "-fips" appendage. Thanks for fixing stunnel! -Rob _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
