[prev in list] [next in list] [prev in thread] [next in thread]
List: stunnel-users
Subject: Re: [stunnel-users] stunnel with FIPS and SIGHUP
From: Michal Trojnara <Michal.Trojnara () mirt ! net>
Date: 2011-01-15 19:28:30
Message-ID: 199E3386-F277-412B-A9EA-ECF048ACBE7A () mirt ! net
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Eric Lambert wrote:
> With the suggested fix, it would look as follows:
>
> int ssl_configure(void) { /* configure global SSL settings */
> #ifdef USE_FIPS
> FIPS_mode_set(0);
> RAND_set_rand_method(NULL);
> if(!FIPS_mode_set(global_options.option.fips)) {
> ERR_load_crypto_strings();
> sslerror("FIPS_mode_set");
> return 0;
> }
> s_log(LOG_NOTICE, "FIPS mode %s",
> global_options.option.fips ? "enabled" : "disabled");
> #endif /* USE_FIPS */
> :
> :
> }
>
> Does the above seem reasonable. Could this change, or some other
> modification which would support using SIGHUP with FIPS, be
> considered for a future stunnel update?
What about:
#ifdef USE_FIPS
if(FIPS_mode()!=global_options.option.fips) {
RAND_set_rand_method(NULL); /* reset RAND methods */
if(!FIPS_mode_set(global_options.option.fips)) {
ERR_load_crypto_strings();
sslerror("FIPS_mode_set");
return 0;
}
s_log(LOG_NOTICE, "FIPS mode %s",
global_options.option.fips ? "enabled" : "disabled");
}
#endif /* USE_FIPS */
?
Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)
iEYEARECAAYFAk0x9V8ACgkQ/NU+nXTHMtHadQCgyoxGzwuGW8GbDqTu9DCqyba4
WbcAoKIw/zrddw9HUoAR519n281oXbJt
=oxtU
-----END PGP SIGNATURE-----
_______________________________________________
stunnel-users mailing list
stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic