Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
- Zhang Weiwu
December 18, 2013, 12:18 pm
rate this thread
Hello. Recently had a failure running binary distribution of stunnel on
OpenSUSE 13.1, error was "FIPS mode not set". I can see 5 possibilities:
1. FIPS is set before compiling stunnel.
2. FIPS is set in run time for stunnel.
3. FIPS is set before compiling openssl.
4. FIPS is set in run time for openssl.
5. FIPS is an OS thing, had to get enterprise edition of SUSE to use it,
or getting youself a version of stunnel without it.
There is no clue which one is true, and a try-and-error would take a whole
afternoon for my level. Kindly let me know how do you handle the case?
Here are background information:
The error is produced even with a blank configration file (not specifying
any section in [xxx] format):
stunnel 4.56 on x86_64-suse-linux-gnu platform
Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
Reading configuration from file /etc/stunnel/stunnel.conf
FIPS_mode_set: F06D065: error:0F06D065:common libcrypto
routines:FIPS_mode_set:fips mode not supported
Global options: Failed to initialize SSL
str_stats: 5 block(s), 87 data byte(s), 290 control byte(s)
~> zypper se -is stunnel
Loading repository data...
Reading installed packages...
S | Name | Type | Version | Arch | Repository
i | stunnel | package | 4.56-1.1 | x86_64 | security: stunnel
Re: configure FIPS for openssl/stunnel in compile or run time?
On Wed, 18 Dec 2013, Bit Twister wrote:
Thanks. Your solution solved my problem!
There are more than one problems in my SuSE's stunnel, luckily the others I
can handle on my own. Even with FIPS disabled now, getting it working in
chroot environment (the default) failed. log no longer appear in
/var/log/rc.stunnel.log -- it is zero length, and nor in the
/var/log/stunnel.log in the chroot environment neither, thus no way to know
The full solution is a bit lengthy. It is here for anyone (googlers?) who
choose to fight on OpenSUSE 13.1 arena:
1. turn off fips ("fips = no")
2. do not use chroot. comment out that line. (if you are able to make it
work under your security consideration, you wouldn't have needed to googling
for this post)
3. create an empty file /var/log/stunnel.log and make its owner 'stunnel'
change the pid file location from /var/run/stunnel.pid to
/var/run/stunnel/pid, mkdir /var/run/stunnel and make its owner 'stunnel'.
because stunnel is run as a use who have no permission to create a file in
/var/run (creating it beforehand doesn't work). This action probably is the
cause of my new error message starting stunnel, which I ignored:
# /etc/init.d/stunnel start
redirecting to systemctl start stunnel
Warning: Unit file of stunnel.service changed on disk, 'systemctl daemon-reload' recommended.
- » NZ ——> Foreign Min. Murray McCul ly's USMC (anzus) DRUG RUNNING O PS [129 Glamorgan D...
- — Previous thread in » Linux Security
- » Cloud Ace Technologies is offering Implementation Services on Cloud Computing, Cloud Serv...
- — Newest thread in » Linux Security