One more thing..<br><br>2012.02.14 13:13:32 LOG6[87260:136504]: Negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA <b>Enc=RC4(128)</b> Mac=SHA1<br><br>RC4 128-bit is not something that considered secure. I don't know why this was choosen but probably this caused that FIPS mode rejected the connection?<br>
<br>Best Regards,<br>Laszlo<br><br><br><div class="gmail_quote">On Tue, Feb 14, 2012 at 13:29, Keresztfalvi Laszlo <span dir="ltr"><<a href="mailto:lkereszt@gmail.com" target="_blank">lkereszt@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Jose,<br><br>Oh, yeah! This solved the problem!<br><br>Actually, <b>fips = no</b> alone was enough to let the certs meet.<br><br>Previously, I just didn't bothered the FIPS setting since I couldn't imagine that non-approved protocols would be used or any crypto/algo deviances would show up.. in such a simple case :) It was very frustrating that the OpenSSL test commands (s_server, s_client) worked.<br>
<br>You may leave this solution visible for Google or extend the documentation / FAQ to help others.. No relevant document showed up for the next search strings:<div><br>SSL3_GET_CERTIFICATE_REQUEST:tls client cert req with anon cipher<br>
</div><div>
SSL3_READ_BYTES:sslv3 alert unexpected message<br><br></div>Thank you very very much!<br><font color="#888888">Laszlo</font><div><div></div><div><br><br><br><div class="gmail_quote">On Tue, Feb 14, 2012 at 12:06, <span dir="ltr"><<a href="mailto:josealf@rocketmail.com" target="_blank">josealf@rocketmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Laszlo,<br>
<br>
Please add<br>
<br>
key=stunnel.pem<br>
fips=no<br>
<br>
to your config files.<br>
Make sure stunnel.pem contains the certifcate and private key for each computer. Try again and let us know the results.<br>
<br>
Regards<br>
Jose<br>
<br>
-----Original Message-----<br>
From: Keresztfalvi Laszlo <<a href="mailto:lkereszt@gmail.com" target="_blank">lkereszt@gmail.com</a>><br>
Sender: <a href="mailto:stunnel-users-bounces@stunnel.org" target="_blank">stunnel-users-bounces@stunnel.org</a><br>
Date: Tue, 14 Feb 2012 10:05:15<br>
To: <<a href="mailto:stunnel-users@stunnel.org" target="_blank">stunnel-users@stunnel.org</a>><br>
Subject: [stunnel-users] server does not send its cert?<br>
<br>
_______________________________________________<br>
stunnel-users mailing list<br>
<a href="mailto:stunnel-users@stunnel.org" target="_blank">stunnel-users@stunnel.org</a><br>
<a href="http://stunnel.mirt.net/mailman/listinfo/stunnel-users" target="_blank">http://stunnel.mirt.net/mailman/listinfo/stunnel-users</a><br>
<br>
<br>
<br>
</blockquote></div><br><div></div>
</div></div></blockquote></div><br><div></div>
<div style id="avg_ls_inline_popup"></div>