On Sun, Dec 21, 2014 at 10:26 AM, Michal Trojnara <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > >> On Dec 18, 2014, at 08:27, H.U.Flück <[email protected]> wrote: The >> error thrown is something like: Dec 17 17:30:23 srvabas stunnel: >> LOG3[3385:140171595282368]: SSL_accept: 140760FC: >> error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown >> protocol >> >> What are we missing? Do we need to change the configuration? > > I downloaded the source packages to identify the exact change they made. > The only difference between the previous and the updated version is > that the new one configures stunnel with: > > configure --enable-fips --enable-ipv6 \ > CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'" > > rather than: > > configure --disable-fips --enable-ipv6 \ > CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'" > > The update doesn't change anything in the source code of stunnel. > > In stunnel 4.x FIPS mode is enabled by default. You may disable it > with "fips = no". In order to get your configuration working without > disabling FIPS mode you may also try "sslVersion = TLSv1".
Unfortunately, AFAICT there is no way to write a conf file that will reliably disable fips on the stunnel 4.x series. This issue is fixed in 5.0. --Andy > > Mike > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iEYEARECAAYFAlSXEOoACgkQ/NU+nXTHMtFBIgCaAth7QWGcFm4kaCNtqW70mQcC > RKEAoN8i3Eb+bf9Qy0zWiITVX2hGYY/z > =5kyW > -----END PGP SIGNATURE----- > _______________________________________________ > stunnel-users mailing list > [email protected] > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users -- Andy Lutomirski AMA Capital Management, LLC _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
