• configure FIPS for openssl/stunnel in compile or run time?

    From Zhang Weiwu@110:300/11 to All on Wed Dec 18 12:18:58 2013

    Hello. Recently had a failure running binary distribution of stunnel on OpenSUSE 13.1, error was "FIPS mode not set". I can see 5 possibilities:

    1. FIPS is set before compiling stunnel.
    2. FIPS is set in run time for stunnel.
    3. FIPS is set before compiling openssl.
    4. FIPS is set in run time for openssl.
    5. FIPS is an OS thing, had to get enterprise edition of SUSE to use it,
    or getting youself a version of stunnel without it.

    There is no clue which one is true, and a try-and-error would take a whole afternoon for my level. Kindly let me know how do you handle the case?

    Here are background information:

    --------------------------------

    The error is produced even with a blank configration file (not specifying
    any section in [xxx] format):

    cat /var/log/rc.stunnel.log

    Clients allowed=500
    stunnel 4.56 on x86_64-suse-linux-gnu platform
    Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
    Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
    Reading configuration from file /etc/stunnel/stunnel.conf
    FIPS_mode_set: F06D065: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported
    Global options: Failed to initialize SSL
    str_stats: 5 block(s), 87 data byte(s), 290 control byte(s)

    -----------------------------------

    stunnel version:

    zypper se -is stunnel
    Loading repository data...
    Reading installed packages...

    S | Name | Type | Version | Arch | Repository --+---------+---------+----------+--------+------------------
    i | stunnel | package | 4.56-1.1 | x86_64 | security: stunnel

    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:300/11@linuxnet)
  • From Bit Twister@110:300/11 to All on Wed Dec 18 12:23:46 2013
    On Wed, 18 Dec 2013 20:18:58 +0800, Zhang Weiwu wrote:

    Hello. Recently had a failure running binary distribution of stunnel on OpenSUSE 13.1, error was "FIPS mode not set". I can see 5 possibilities:

    1. FIPS is set before compiling stunnel.
    2. FIPS is set in run time for stunnel.
    3. FIPS is set before compiling openssl.
    4. FIPS is set in run time for openssl.
    5. FIPS is an OS thing, had to get enterprise edition of SUSE to use it,
    or getting youself a version of stunnel without it.

    Not running Suse, but my solution to the error was adding
    fips = no
    to /etc/stunnel/stunnel.conf


    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:300/11@linuxnet)
  • From Zhang Weiwu@110:300/11 to All on Thu Dec 19 08:46:44 2013

    On Wed, 18 Dec 2013, Bit Twister wrote:

    Not running Suse, but my solution to the error was adding
    fips = no
    to /etc/stunnel/stunnel.conf

    Thanks. Your solution solved my problem!

    There are more than one problems in my SuSE's stunnel, luckily the others I can handle on my own. Even with FIPS disabled now, getting it working in chroot environment (the default) failed. log no longer appear in /var/log/rc.stunnel.log -- it is zero length, and nor in the /var/log/stunnel.log in the chroot environment neither, thus no way to know what failed.

    The full solution is a bit lengthy. It is here for anyone (googlers?) who choose to fight on OpenSUSE 13.1 arena:

    1. turn off fips ("fips = no")

    2. do not use chroot. comment out that line. (if you are able to make it
    work under your security consideration, you wouldn't have needed to googling for this post)

    3. create an empty file /var/log/stunnel.log and make its owner 'stunnel'

    4.
    change the pid file location from /var/run/stunnel.pid to /var/run/stunnel/pid, mkdir /var/run/stunnel and make its owner 'stunnel'. because stunnel is run as a use who have no permission to create a file in /var/run (creating it beforehand doesn't work). This action probably is the cause of my new error message starting stunnel, which I ignored:

    # /etc/init.d/stunnel start
    redirecting to systemctl start stunnel
    Warning: Unit file of stunnel.service changed on disk, 'systemctl daemon-reload' recommended.




    --- MBSE BBS v1.0.1 (GNU/Linux-i386)
    * Origin: A noiseless patient Spider (110:300/11@linuxnet)