[gnutls-help] make check errors in system running FIPS mode

jonetsu jonetsu at teksavvy.com
Mon Sep 21 17:27:33 CEST 2015


A large number of failures are reported during the tests when they are done with the kernel being in FIPS mode and the file /etc/system-fips exists.  The same compile done without these two does not report any error.

Is there a setup to be made to run these tests when in FIPS mode ?  Does this involve the DNSSEC warning shown at the end of the configure script ?

Thanks !

% ./configure --enable-fips140-mode 
% make
% make check

Testsuite summary for GnuTLS 3.3.16

# TOTAL: 88
# PASS:  2
# SKIP:  4
# XFAIL: 0
# FAIL:  82
# XPASS: 0
# ERROR: 0

configure: summary of build options:

  version:              3.3.16 shared 69:8:41
  Host/Target system:   armv7l-unknown-linux-gnueabihf
  Build system:         armv7l-unknown-linux-gnueabihf
  Install prefix:       /usr/local
  Compiler:             gcc
  CFlags:               -g -O2
  Library types:        Shared=yes, Static=no
  Local libopts:        yes
  Local libtasn1:       yes
  Use nettle-mini:      no
  nettle-version:       2.7.1

configure: External hardware support:

  /dev/crypto:          no
  Hardware accel:       none
  Padlock accel:        yes
  PKCS#11 support:      no
  TPM support:          no

configure: Optional features:
(note that included applications might not compile properly
if features are disabled)

  DTLS-SRTP support:    yes
  ALPN support:         yes
  OCSP support:         yes
  Ses. ticket support:  yes
  OpenPGP support:      yes
  SRP support:          yes
  PSK support:          yes
  DHE support:          yes
  ECDHE support:        yes
  RSA-EXPORT support:   yes
  Anon auth support:    yes
  Heartbeat support:    yes
  Unicode support:      yes
  Self checks:          yes
  Non-SuiteB curves:    yes
  FIPS140 mode:         yes

configure: Optional applications:

  crywrap app:          no

configure: Optional libraries:

  Guile wrappers:       no
  C++ library:          yes
  DANE library:         no
  OpenSSL compat:       yes

configure: System files:

  Trust store pkcs11:   
  Trust store dir:      
  Trust store file:     /etc/ssl/certs/ca-certificates.crt
  Blacklist file:       
  CRL file:             
  Priority file:        /etc/gnutls/default-priorities
  DNSSEC root key file: /etc/unbound/root.key

configure: WARNING:
*** The DNSSEC root key file in /etc/unbound/root.key was not found.
*** This file is needed for the verification of DNSSEC responses.
*** Use the command: unbound-anchor -a "/etc/unbound/root.key"
*** to generate or update it.

More information about the Gnutls-help mailing list