• configure FIPS for openssl/stunnel in compile or run time?

    From Zhang Weiwu@110:110/2002 to All on Wed Dec 18 02:56:38 2013

    Hello. Recently had a failure running binary distribution of stunnel on OpenSUSE 13.1, error was "FIPS mode not set". I can see 5 possibilities:

    1. FIPS is set before compiling stunnel.
    2. FIPS is set in run time for stunnel.
    3. FIPS is set before compiling openssl.
    4. FIPS is set in run time for openssl.
    5. FIPS is an OS thing, had to get enterprise edition of SUSE to use it,
    or getting youself a version of stunnel without it.

    There is no clue which one is true, and a try-and-error would take a whole afternoon for my level. Kindly let me know how do you handle the case?

    Here are background information:

    --------------------------------

    The error is produced even with a blank configration file (not specifying
    any section in [xxx] format):

    cat /var/log/rc.stunnel.log

    Clients allowed=500
    stunnel 4.56 on x86_64-suse-linux-gnu platform
    Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
    Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
    Reading configuration from file /etc/stunnel/stunnel.conf
    FIPS_mode_set: F06D065: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported
    Global options: Failed to initialize SSL
    str_stats: 5 block(s), 87 data byte(s), 290 control byte(s)

    -----------------------------------

    stunnel version:

    zypper se -is stunnel
    Loading repository data...
    Reading installed packages...

    S | Name | Type | Version | Arch | Repository --+---------+---------+----------+--------+------------------
    i | stunnel | package | 4.56-1.1 | x86_64 | security: stunnel

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:110/2002@linuxnet)