476674 – net-misc/stunnel automagically enables FIPS mode (should probably use $(use_enable fips)

Bug 476674 - net-misc/stunnel automagically enables FIPS mode (should probably use $(use_enable fips)

Summary: net-misc/stunnel automagically enables FIPS mode (should probably use $(use_e...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Anthony Basile

URL:	http://www.openssl.org/docs/fips/fips...
Whiteboard:
Keywords:

Depends on:
Blocks:	CVE-2012-2686
	Show dependency tree

Reported:	2013-07-13 02:27 UTC by Jeroen Roovers (RETIRED)
Modified:	2013-07-13 12:59 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jeroen Roovers (RETIRED) gentoo-dev

2013-07-13 02:27:53 UTC

# /etc/init.d/stunnel start
 * /run/stunnel: correcting mode
 * /run/stunnel: correcting owner
 * Starting stunnel ...
Clients allowed=500
stunnel 4.56 on hppa2.0-unknown-linux-gnu platform
Compiled/running with OpenSSL 1.0.1c 10 May 2012
Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
Reading configuration from file /etc/stunnel/stunnel.conf
FIPS_mode_set: F06D065: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported                              
Line 58: "[https]": Failed to initialize SSL
str_stats: 5 block(s), 91 data byte(s), 210 control byte(s)
 * start-stop-daemon: failed to start `/usr/bin/stunnel'
 * Failed to start stunnel                    [ !! ]
 * ERROR: stunnel failed to start

According to [URL] I probably don't need FIPS mode.

Comment 1 Anthony Basile gentoo-dev

2013-07-13 12:26:46 UTC

(In reply to Jeroen Roovers from comment #0)
> # /etc/init.d/stunnel start
>  * /run/stunnel: correcting mode
>  * /run/stunnel: correcting owner
>  * Starting stunnel ...
> Clients allowed=500
> stunnel 4.56 on hppa2.0-unknown-linux-gnu platform
> Compiled/running with OpenSSL 1.0.1c 10 May 2012
> Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS Auth:LIBWRAP
> Reading configuration from file /etc/stunnel/stunnel.conf
> FIPS_mode_set: F06D065: error:0F06D065:common libcrypto
> routines:FIPS_mode_set:fips mode not supported                              
> Line 58: "[https]": Failed to initialize SSL
> str_stats: 5 block(s), 91 data byte(s), 210 control byte(s)
>  * start-stop-daemon: failed to start `/usr/bin/stunnel'
>  * Failed to start stunnel                    [ !! ]
>  * ERROR: stunnel failed to start
> 
> According to [URL] I probably don't need FIPS mode.

You do not need FIPS and we force disable it in all openssl builds.  So we force disable it in stunnel.

Comment 2 Jeroen Roovers (RETIRED) gentoo-dev

2013-07-13 12:31:59 UTC

I think this needs a revision bump. Note that the installed files would change and that without the fix, stunnel very probably fails at runtime.

Comment 3 Anthony Basile gentoo-dev

2013-07-13 12:59:57 UTC

(In reply to Jeroen Roovers from comment #2)
> I think this needs a revision bump. Note that the installed files would
> change and that without the fix, stunnel very probably fails at runtime.

It does indeed fail at runtime.  I rev bumped.  Thanks.