<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 12 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:SimSun;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"\@SimSun";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Hi all, Need your help. <o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">When I configured the Stunnel without the Engine LunaCA3 (product from SafeNet), everything worked fine. After add the global option with the engine:<o:p></o:p></p>
<p class="MsoNormal">engine=LunaCA3<o:p></o:p></p>
<p class="MsoNormal"> engineCtrl=SO_PATH:/usr/local/ssl/lib/engines/liblunaca3.so<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I got the following error. I also searched previous engine issues and saw someone else with the similar issues. Hope that the issue was resolved.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The Stunnel and the open SSL info: stunnel 5.20 on x86_64 Linux. Compiled/running with OpenSSL 1.0.1i-fips. The setting is for server with sslVersion = TLSv1 and ciphers = AES128-SHA.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">2015.09.08 11:11:01 LOG7[0]: SSL state (accept): SSLv3 read client certificate A<o:p></o:p></p>
<p class="MsoNormal">2015.09.08 11:11:01 LOG7[0]: SSL state (accept): SSLv3 read client key exchange A<o:p></o:p></p>
<p class="MsoNormal">2015.09.08 11:11:01 LOG7[0]: SSL state (accept): SSLv3 read certificate verify A<o:p></o:p></p>
<p class="MsoNormal">2015.09.08 11:11:01 LOG7[0]: <b>SSL alert (write): fatal: bad record mac</b><o:p></o:p></p>
<p class="MsoNormal">2015.09.08 11:11:01 LOG3[0]: <b><span style="background:yellow;mso-highlight:yellow">SSL_accept: 1408F119: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac</span></b><o:p></o:p></p>
<p class="MsoNormal">2015.09.08 11:11:01 LOG5[0]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket<o:p></o:p></p>
<p class="MsoNormal">2015.09.08 11:11:01 LOG7[0]: Deallocating application specific data for addr index<o:p></o:p></p>
<p class="MsoNormal">2015.09.08 11:11:01 LOG7[0]: Local socket (FD=3) closed<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Any help and info are greatly appreciated!!<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:navy">Ann Donne<o:p></o:p></span></b></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<HR>This message, and any attachments, is for the intended recipient(s) only, may contain information that is privileged, confidential and/or proprietary and subject to important terms and conditions available at http://www.bankofamerica.com/emaildisclaimer. If you are not the intended recipient, please delete this message.<BR>
</body>
</html>