FIPS in stunnel and OpenSSL
The actual cause of the problem is OpenSSL v1.1.x does not support FIPS engine and as such, you can only use a FIPS Compliant cipher until FIPS is recertified as I understand it Andruw Smalley Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 [email protected] Leave a Review | Deployment Guides | Blog Andruw Smalley Loadbalancer.org Ltd. www.loadbalancer.org +1 888 867 9504 / +44 (0)330 380 1064 [email protected] Leave a Review | Deployment Guides | Blog On Mon, 4 Mar 2019 at 16:20, <[email protected]> wrote: > > Send stunnel-users mailing list submissions to > [email protected] > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > or, via email, send a message with subject or body 'help' to > [email protected] > > You can reach the person managing the list at > [email protected] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of stunnel-users digest..." > > > Today's Topics: > > 1. FIPS mode not supported (Yan Renelt) > 2. Re: FIPS mode not supported (mlrx) > 3. Re: FIPS mode not supported (Flo Rance) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Mon, 4 Mar 2019 16:14:47 +0100 > From: Yan Renelt <[email protected]> > To: [email protected] > Subject: [stunnel-users] FIPS mode not supported > Message-ID: <[email protected]> > Content-Type: text/plain; charset="utf-8" > > Hi, > > my config is > cert = stunnel.pem > socket = l:TCP_NODELAY=1 > socket = r:TCP_NODELAY=1 > debug = 7 > > fips = yes > > [Demo-Trading] > client = yes > accept = 127.0.0.1:40001 > connect = fix-order.london-demo.lmax.com:443 > sslVersion = TLSv1 > options = NO_SSLv2 > options = NO_SSLv3 > > [Demo ñ Market Data] > client = yes > accept = 127.0.0.1:40003 > connect = fix-marketdata.london-demo.lmax.com:443 > sslVersion = TLSv1 > options = NO_SSLv2 > options = NO_SSLv3 > > > and I still receiving this error. > > FIPS_mode_set: F06D065: error:0F06D065:common libcrypto > routines:FIPS_mode_set:fips mode not supported > > Any suggestions? Fips = no is not an option for me. > > > Thanks > > Yan > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190304/2b32d969/attachment-0001.html> > > ------------------------------ > > Message: 2 > Date: Mon, 4 Mar 2019 17:15:30 +0100 > From: mlrx <[email protected]> > To: [email protected] > Subject: Re: [stunnel-users] FIPS mode not supported > Message-ID: <[email protected]> > Content-Type: text/plain; charset=utf-8 > > Le 04/03/2019 à 16:14, Yan Renelt a écrit : > > Hi, > Hi, > > > my config is > > cert = stunnel.pem > > socket = l:TCP_NODELAY=1 > > socket = r:TCP_NODELAY=1 > > debug = 7 > > > > fips = yes > > > > [Demo-Trading] > > client = yes > > accept = 127.0.0.1:40001 > > connect = fix-order.london-demo.lmax.com:443 > > sslVersion = TLSv1 > Why do you use this one ? > Isn't it better to use TLSv1.2 min.? > > > options = NO_SSLv2 > > options = NO_SSLv3 > > > > [Demo ñ Market Data] > > client = yes > > accept = 127.0.0.1:40003 > > connect = fix-marketdata.london-demo.lmax.com:443 > > sslVersion = TLSv1 > > options = NO_SSLv2 > > options = NO_SSLv3 > > > > > > and I still receiving this error. > > > > FIPS_mode_set: F06D065: error:0F06D065:common libcrypto > > routines:FIPS_mode_set:fips mode not supported > > > > Any suggestions? Fips = no is not an option for me. > > > > > > Thanks > > > > Yan > > Witch OS ? > Do you use `debug = 7` ? Some informations in ? > On openBSD (for ex.), `rcctl -d start stunnel` could give you > some useful informations. > > There is a sample of mine (client = no) : > debug = 7 > output = stunnel.log > sslVersion = TLSv1.2 > options = CIPHER_SERVER_PREFERENCE > ciphers = > ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384 > curve = secp384r1 > > > Regards, > -- > mlrx > > > ------------------------------ > > Message: 3 > Date: Mon, 4 Mar 2019 17:19:38 +0100 > From: Flo Rance <[email protected]> > To: Yan Renelt <[email protected]> > Cc: [email protected] > Subject: Re: [stunnel-users] FIPS mode not supported > Message-ID: > <CAHogYcV=Uwb-nwOrH0w7w0b7vJvyfaBBCDQcOEGQXrxwXsw=p...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > You don't give much details on which environment is installed stunnel, but > it seems that it has been compiled with a version of openssl that doesn't > have fips object module. > > Flo > > On Mon, Mar 4, 2019 at 4:15 PM Yan Renelt <[email protected]> wrote: > > > Hi, > > > > my config is > > cert = stunnel.pem > > socket = l:TCP_NODELAY=1 > > socket = r:TCP_NODELAY=1 > > debug = 7 > > > > fips = yes > > > > [Demo-Trading] > > client = yes > > accept = 127.0.0.1:40001 > > connect = fix-order.london-demo.lmax.com:443 > > sslVersion = TLSv1 > > options = NO_SSLv2 > > options = NO_SSLv3 > > > > [Demo ñ Market Data] > > client = yes > > accept = 127.0.0.1:40003 > > connect = fix-marketdata.london-demo.lmax.com:443 > > sslVersion = TLSv1 > > options = NO_SSLv2 > > options = NO_SSLv3 > > > > > > and I still receiving this error. > > > > FIPS_mode_set: F06D065: error:0F06D065:common libcrypto > > routines:FIPS_mode_set:fips mode not supported > > > > Any suggestions? Fips = no is not an option for me. > > > > > > Thanks > > > > Yan > > _______________________________________________ > > stunnel-users mailing list > > [email protected] > > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190304/02022c79/attachment.html> > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > stunnel-users mailing list > [email protected] > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users > > > ------------------------------ > > End of stunnel-users Digest, Vol 176, Issue 3 > ********************************************* _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
