[prev in list] [next in list] [prev in thread] [next in thread] 

List:       stunnel-users
Subject:    Re: [stunnel-users] stunnel with FIPS and SIGHUP
From:       Michal Trojnara <Michal.Trojnara () mirt ! net>
Date:       2011-01-15 19:28:30
Message-ID: 199E3386-F277-412B-A9EA-ECF048ACBE7A () mirt ! net
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Eric Lambert wrote:
> With the suggested fix, it would look as follows:
>
>     int ssl_configure(void) { /* configure global SSL settings */
>     #ifdef USE_FIPS
>         FIPS_mode_set(0);
>         RAND_set_rand_method(NULL);
>         if(!FIPS_mode_set(global_options.option.fips)) {
>             ERR_load_crypto_strings();
>             sslerror("FIPS_mode_set");
>             return 0;
>         }
>         s_log(LOG_NOTICE, "FIPS mode %s",
>             global_options.option.fips ? "enabled" : "disabled");
>     #endif /* USE_FIPS */
>         :
>         :
>     }
>
> Does the above seem reasonable.  Could this change, or some other  
> modification which would support using SIGHUP with FIPS, be  
> considered for a future stunnel update?

What about:

#ifdef USE_FIPS
     if(FIPS_mode()!=global_options.option.fips) {
         RAND_set_rand_method(NULL); /* reset RAND methods */
         if(!FIPS_mode_set(global_options.option.fips)) {
             ERR_load_crypto_strings();
             sslerror("FIPS_mode_set");
             return 0;
         }
         s_log(LOG_NOTICE, "FIPS mode %s",
             global_options.option.fips ? "enabled" : "disabled");
     }
#endif /* USE_FIPS */

?

Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAk0x9V8ACgkQ/NU+nXTHMtHadQCgyoxGzwuGW8GbDqTu9DCqyba4
WbcAoKIw/zrddw9HUoAR519n281oXbJt
=oxtU
-----END PGP SIGNATURE-----
_______________________________________________
stunnel-users mailing list
stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users
[prev in list] [next in list] [prev in thread] [next in thread]