Re: [stunnel-users] Linux FIPS compile libary question

This is a discussion on Re: [stunnel-users] Linux FIPS compile libary question within the Stunnel Users forums, part of the Networking and Network Related category; This is a multi-part message in MIME format. --=====001_Dragon352281138763_===== Content-Type: multipart/alternative; boundary="=====003_Dragon352281138763_=====" --=====003_Dragon352281138763_===== Content-...

		Usenet Forums > Networking and Network Related > Stunnel Users
Re: [stunnel-users] Linux FIPS compile libary question

LinkBack

Thread Tools

Display Modes

#1 (permalink)

04-17-2008

Posts: n/a

Re: [stunnel-users] Linux FIPS compile libary question

This is a multi-part message in MIME format.

--=====001_Dragon352281138763_=====
Content-Type: multipart/alternative;
boundary="=====003_Dragon352281138763_====="

--=====003_Dragon352281138763_=====
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Hello, expert:

I have a question. Can stunnel be used behind a router without the router forwarding the port number? Recently I found one VNC can work this way. Was wondering whether you can modify the config. file to make it work.

right now I set (serverside) the router forwarding port 8888 to the desktop, the stunnel on the desktop listening for port 8888 and forward this stream 8888 to VNC's 5955.

My purpose is to bypassing the router forwarding part.

Thanks for any input.

J

Thanks for the info. Turns out I caused my own problems. I added some features to stunnel that require ldap. That is what brought in the new openssl dependencies. I need to make a custom ldap library using the FIPS openssl libraries.

Thanks again.
-Joe

-----Original Message-----
From: stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of Luis Rodrigo Gallardo Cruz
Sent: Thursday, April 10, 2008 5:32 PM
To: stunnel-users@mirt.net
Subject: Re: [stunnel-users] Linux FIPS compile libary question

On Thu, Apr 10, 2008 at 01:30:22PM -0400, Joe Kemp wrote:
> I guess the question is what will the linker do with a shared libssl
> in /lib and a static one in /usr/local/sslfips/lib. I ran the libtool
> with a -v. It gave tons of output and only had references to the
> library in /usr/local/sslfips.
>
> So I am going to assume I am seeing the dependencies of other
> libraries used by stunnel. For instance libldap needs openssl and
> uses the shared version. It's a little nerve-wracking ensuring FIPS
> compliance.

That sounds ... ugly. If your shared libraries can pull in a copy of libssl.so, you run the risk that some symbols might be resolved at run time against that copy, instead of against the static copy "inside"
the executable. Unless you were to link with -Bsymbolic, which is an advanced option invented with no other purpose than to trip inocent students of c linkage.

For this kind of stuff, I'd advice you to compile an stunnel with as few external libraries as you can get away with, and relink *all* those libraries to use your static libssl. Even better, get static libraries for them all and link against that.

> Is there a way to see just what the stunnel layer depends on? Ldd -v
> gave me more info but I am assuming it is still showing all levels of
> dependencies (stunnel's, libldap's, libsasl2, etc.).

objdump -x /usr/bin/stunnel |grep NEEDED gives you the list of sonames embedded in the executable. ldd tells you how the dynamic linker will resolve them to actual .so files.
_______________________________________________
stunnel-users mailing list
stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users

--
Internal Virus Database is out-of-date.
Checked by AVG Free Edition.
Version: 7.5.516 / Virus Database: 269.22.5/1357 - Release Date: 4/3/2008 10:48 AM

--=====003_Dragon352281138763_=====
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.6000.16640" name=GENERATOR></HEAD>
<BODY>
<DIV> </DIV>
<DIV>Hello, expert:</DIV>
<DIV> </DIV>
<DIV>I have a question.  Can stunnel be used behind a router without the
router forwarding the port number?  Recently I found one VNC can work this
way.  Was wondering whether you can modify the config. file to make it
work.</DIV>
<DIV> </DIV>
<DIV>right now I set (serverside) the router forwarding port 8888 to the
desktop, the stunnel on the desktop listening for port 8888 and forward
this stream 8888 to VNC's 5955.</DIV>
<DIV> </DIV>
<DIV>My purpose is to bypassing the router forwarding part.</DIV>
<DIV> </DIV>
<DIV>Thanks for any input.</DIV>
<DIV> </DIV>
<DIV>J</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Thanks for the info. &nbs p;Turns out I caused my o wn problems. I added some&nbsp ;features to stunnel that requ ire ldap.  That is what&n bsp;brought in the new openssl  dependencies.  I need to  make a custom ldap libra ry using the FIPS openssl&nbsp ;libraries.</DIV>
<DIV> </DIV>
<DIV>Thanks again.</DIV>
<DIV>-Joe</DIV>
<DIV> </DIV>
<DIV>-----Original Message-----</DIV>
<DIV>From: stunnel-users-bounces@mirt.net [mailto:stunnel-users-bounces@mirt.net] On Behalf Of Luis Rodrig o Gallardo Cruz</DIV>
<DIV>Sent: Thursday, April 10,&nbsp ;2008 5:32 PM</DIV>
<DIV>To: stunnel-users@mirt.net</DIV>
<DIV>Subject: Re: [stunnel-users] Linux FIPS compile libary&nbs p;question</DIV>
<DIV> </DIV>
<DIV>On Thu, Apr 10, 2008&nbsp ;at 01:30:22PM -0400, Joe Kemp wrote:</DIV>
<DIV>> I guess the question  is what will the linker& nbsp;do with a shared libssl</DIV>
<DIV>> in /lib and a static one in&n bsp;/usr/local/sslfips/lib.  I ran the libtool</DIV>
<DIV>> with a -v.  It gave tons of  output and only had references  to the</DIV>
<DIV>> library in /usr/local/sslfips.</DIV>
<DIV>></DIV>
<DIV>> So I am going t o assume I am seeing the& nbsp;dependencies of other</DIV>
<DIV>> libraries used by st unnel.  For instance libldap&n bsp;needs openssl and</DIV>
<DIV>> uses the shared vers ion.  It's a little nerve-wracking ensuring FIPS</DIV>
<DIV>> compliance.</DIV>
<DIV> </DIV>
<DIV>That sounds ... ugly. If& nbsp;your shared libraries can&nbsp ;pull in a copy of libssl .so, you run the risk tha t some symbols might be r esolved at run time against&nb sp;that copy, instead of again st the static copy "inside"</DIV>
<DIV>the executable. Unless you&nbs p;were to link with -Bsymbolic, which is an advance d option invented with no&nbsp ;other purpose than to trip&nb sp;inocent students of c linka ge.</DIV>
<DIV> </DIV>
<DIV>For this kind of stuff,&n bsp;I'd advice you to compile& nbsp;an stunnel with as few&nb sp;external libraries as you c an get away with, and rel ink *all* those libraries to&n bsp;use your static libssl. Ev en better, get static librarie s for them all and link&n bsp;against that.</DIV>
<DIV> </DIV>
<DIV>> Is there a way  to see just what the stun nel layer depends on?  Ld d -v</DIV>
<DIV>> gave me more info&nb sp;but I am assuming it i s still showing all levels&nbs p;of</DIV>
<DIV>> dependencies (stunnel's,  libldap's, libsasl2, etc.).</DIV>
<DIV> </DIV>
<DIV> objdump -x /usr/bin/stunnel |grep NEEDED gives you  the list of sonames embe dded in the executable. ldd&nb sp;tells you how the dynamic&n bsp;linker will resolve them t o actual .so files.</DIV>
<DIV>_____________________________________________ __</DIV>
<DIV>stunnel-users mailing list</DIV>
<DIV>stunnel-users@mirt.net</DIV>
<DIV><A
href="http://stunnel.mirt.net/mailman/listinfo/stunnel-users">http://stunnel.mirt.net/mailman/listinfo/stunnel-users</A></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>-- </DIV>
<DIV>Internal Virus Database is&nbs p;out-of-date.</DIV>
<DIV>Checked by AVG Free Editi on. </DIV>
<DIV>Version: 7.5.516 / Virus Database: 269.22.5/1357 - Release Date: 4/3/2008 10:48 AM</DIV>
<DIV> </DIV></BODY></HTML>

--=====003_Dragon352281138763_=====--
--=====001_Dragon352281138763_=====
Content-Type: text/x-vcard;
name="jilin zhang.vcf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="jilin zhang.vcf"

QkVHSU46VkNBUkQNClZFUlNJT046Mi4xDQpOOnpoYW5nO2ppbG luDQpGTjpqaWxpbiB6aGFuZw0K
TklDS05BTUU6Sg0KT1JHOkVsbGluZ3RvbiAmIEFzc29jaWF0ZX MNClRJVExFOkdlb2xvZ2lzdA0K
VEVMO1dPUks7Vk9JQ0U6NzEzOTU2MjgzOA0KVEVMO1dPUks7Rk FYOjcxMzk1NjI4NDANCkFEUjtX
T1JLOjs7MTAyMiBXaXJ0IFJvYWQsIFN1aXRlIDMxMjtIb3VzdG 9uO1RleGFzOzc3MDU1O1VTDQpM
QUJFTDtXT1JLO0VOQ09ESU5HPVFVT1RFRC1QUklOVEFCTEU6MT AyMiBXaXJ0IFJvYWQsIFN1aXRl
IDMxMg0KSG91c3Rvbg0KVGV4YXMNCjc3MDU1DQpVUw0KVVJMOn d3dy5lbGxpbmd0b25nZW9sb2dp
Yy5jb20NCkVNQUlMO1BSRUY7SU5URVJORVQ6anpAZWxsaW5ndG 9uZ2VvbG9naWMuY29tDQpYLVdB
Qi1HRU5ERVI6Mg0KUkVWOjIwMDgwNDE3VDExMzY0MVoNCkVORD pWQ0FSRA0K

--=====001_Dragon352281138763_=====
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
stunnel-users mailing list
stunnel-users@mirt.net
http://stunnel.mirt.net/mailman/listinfo/stunnel-users

--=====001_Dragon352281138763_=====--

« Previous Thread | Next Thread »

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Posting Rules
You may not post new threads You may not post replies You may not post attachments You may not edit your posts vB code is On Smilies are Off [IMG] code is Off HTML code is Off Trackbacks are On Pingbacks are On Refbacks are On

All times are GMT +1. The time now is 08:20 PM.