From 3a0d1bebba5969fb91ecfb40c27ca95eb2357f45 Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Mon, 10 Feb 2014 20:44:28 +0100 Subject: [PATCH] secureserver: Only set stunnel FIPS option when available It seems the fips config option causes an error if FIPS mode was not enabled at stunnel compile-time. FIPS support was disabled by default in stunnel 5.00, so this is probably really only needed on versions between 4.32 and 5.00. --- tests/secureserver.pl | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/tests/secureserver.pl b/tests/secureserver.pl index 66f891f71..4b7a23b61 100755 --- a/tests/secureserver.pl +++ b/tests/secureserver.pl @@ -50,6 +50,7 @@ my $stuncert; my $ver_major; my $ver_minor; +my $fips_support; my $stunnel_version; my $socketopt; my $cmd; @@ -189,7 +190,11 @@ foreach my $veropt (('-version', '-V')) { if($verstr =~ /^stunnel (\d+)\.(\d+) on /) { $ver_major = $1; $ver_minor = $2; - last; + } + elsif($verstr =~ /^sslVersion.*fips *= *yes/) { + # the fips option causes an error if stunnel doesn't support it + $fips_support = 1; + last } } last if($ver_major); @@ -253,7 +258,8 @@ if($stunnel_version >= 400) { cert = $certfile debug = $loglevel socket = $socketopt"; - if($stunnel_version >= 500) { + if($fips_support) { + # disable fips in case OpenSSL doesn't support it print STUNCONF " fips = no"; } @@ -283,7 +289,6 @@ if($stunnel_version >= 400) { print "cert = $certfile\n"; print "pid = $pidfile\n"; print "debug = $loglevel\n"; - print "fips = no\n"; print "socket = $socketopt\n"; print "output = $logfile\n"; print "foreground = yes\n";