configure FIPS for openssl/stunnel in compile or run time?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Hello. Recently had a failure running binary distribution of stunnel on  
OpenSUSE 13.1, error was "FIPS mode not set". I can see 5 possibilities:

1. FIPS is set before compiling stunnel.
2. FIPS is set in run time for stunnel.
3. FIPS is set before compiling openssl.
4. FIPS is set in run time for openssl.
5. FIPS is an OS thing, had to get enterprise edition of SUSE to use it,  
or getting youself a version of stunnel without it.

There is no clue which one is true, and a try-and-error would take a whole  
afternoon for my level. Kindly let me know how do you handle the case?

Here are background information:


The error is produced even with a blank configration file (not specifying  
any section in [xxx] format):

      cat /var/log/rc.stunnel.log

Clients allowed=500
stunnel 4.56 on x86_64-suse-linux-gnu platform
Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
Reading configuration from file /etc/stunnel/stunnel.conf
FIPS_mode_set: F06D065: error:0F06D065:common libcrypto  
routines:FIPS_mode_set:fips mode not supported
Global options: Failed to initialize SSL
str_stats: 5 block(s), 87 data byte(s), 290 control byte(s)


stunnel version:

~> zypper se -is stunnel
Loading repository data...
Reading installed packages...

S | Name    | Type    | Version  | Arch   | Repository
i | stunnel | package | 4.56-1.1 | x86_64 | security: stunnel

Re: configure FIPS for openssl/stunnel in compile or run time?

On Wed, 18 Dec 2013 20:18:58 +0800, Zhang Weiwu wrote:
Quoted text here. Click to load it

Not running Suse, but my solution to the error was adding
fips = no
to /etc/stunnel/stunnel.conf

Re: configure FIPS for openssl/stunnel in compile or run time?

On Wed, 18 Dec 2013, Bit Twister wrote:

Quoted text here. Click to load it

Thanks. Your solution solved my problem!

There are more than one problems in my SuSE's stunnel, luckily the others I  
can handle on my own.  Even with FIPS disabled now, getting it working in  
chroot environment (the default) failed.  log no longer appear in  
/var/log/rc.stunnel.log -- it is zero length, and nor in the  
/var/log/stunnel.log in the chroot environment neither, thus no way to know  
what failed.

The full solution is a bit lengthy. It is here for anyone (googlers?) who  
choose to fight on OpenSUSE 13.1 arena:

1. turn off fips ("fips = no")

2. do not use chroot. comment out that line. (if you are able to make it  
work under your security consideration, you wouldn't have needed to googling  
for this post)

3. create an empty file /var/log/stunnel.log and make its owner 'stunnel'

change the pid file location from /var/run/ to  
/var/run/stunnel/pid, mkdir /var/run/stunnel and make its owner 'stunnel'.
because stunnel is run as a use who have no permission to create a file in  
/var/run (creating it beforehand doesn't work). This action probably is the  
cause of my new error message starting stunnel, which I ignored:

# /etc/init.d/stunnel start
redirecting to systemctl start stunnel
Warning: Unit file of stunnel.service changed on disk, 'systemctl daemon-reload' recommended.

Site Timeline