The following errors are generated during connection without fips on:
2012.02.29 19:11:48 LOG6[13546:139687476688640]: SSL accepted: new session negotiated 2012.02.29 19:11:48 LOG6[13546:139687476688640]: Negotiated ciphers: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 2012.02.29 19:11:48 LOG6[13546:139687476688640]: Compression: zlib compression, expansion: zlib compression 2012.02.29 19:11:48 LOG6[13546:139687476688640]: connect_blocking: connecting 127.0.0.1:30010 2012.02.29 19:11:48 LOG7[13546:139687476688640]: connect_blocking: s_poll_wait 127.0.0.1:30010: waiting 10 seconds 2012.02.29 19:11:48 LOG5[13546:139687476688640]: connect_blocking: connected 127.0.0.1:30010 2012.02.29 19:11:48 LOG5[13546:139687476688640]: Service 3proxy connected remote server from 127.0.0.1:52872 2012.02.29 19:11:48 LOG7[13546:139687476688640]: Remote FD=8 initialized 2012.02.29 19:11:48 LOG7[13546:139687476688640]: Socket closed on read 2012.02.29 19:11:48 LOG7[13546:139687476688640]: Sending close_notify alert 2012.02.29 19:11:48 LOG6[13546:139687476688640]: SSL_shutdown successfully sent close_notify alert 2012.02.29 19:11:48 LOG5[13546:139687476688640]: Error detected on SSL (read) file descriptor: Connection reset by peer (104) ----------------------------------------- Stunnel settings: ----------------------------------------- #Certificate/key is needed in server mode and optional in client mode cert = /usr/local/etc/stunnel/stunnel.pem key = /usr/local/etc/stunnel/stunnel.pem # #Authentication stuff ;CApath = /etc/stunnel/Trusted ;CRLpath = /etc/stunnel/Revoked CAfile = /usr/local/etc/stunnel/Trusted/Trusted.pem verify = 0 # #Log #output = /var/log/stunnel.log debug = 7 foreground = yes # #Protocol version (all, SSLv2, SSLv3, TLSv1) #sslVersion = SSLv3 options = NO_SSLv2 # #Disable FIPS mode to allow non-approved protocols and algorithms fips = no # #Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 options = DONT_INSERT_EMPTY_FRAGMENTS compression = zlib # #These options provide additional security at some performance degradation options = SINGLE_ECDH_USE options = SINGLE_DH_USE # # Connections [3proxy] accept = 30001 connect = 127.0.0.1:30010 client = no TIMEOUTidle = 1800 ----------------------------------------
I have also try with different certificates, does not work either. I downloaded the cert and key from the server and start a server on my client computer, everything runs fine.
Thank you for replying and helping.
At 2012-03-01 10:25:52,"Jake Skinner" Jake.Skinner@ontariosystems.com wrote:
Have you tried disabling FIPS to see if your connection works without?
Jake Skinner Telephony Technology Specialist Ontario Systems, LLC Office +1.765.751.7000
Thumbed posthaste from my mobile device; please forgive any typing or grammatical errors.
From: stunnel-users-bounces@stunnel.org To: stunnel-users@stunnel.org Sent: Wed Feb 29 19:41:02 2012 Subject: [stunnel-users] FIPS_mode_set:fingerprint does not match
I have the following problem running stunnel on Centos 6.x 64bit with the following error:
I have been search with google to see if there was a solution but nothing was found
Thank you for your reply and your help, hopefully I can get this solved.
********************************************************************************
Clients allowed=500 stunnel 4.52 on x86_64-unknown-linux-gnu platform Compiled/running with OpenSSL 1.0.0-fips 29 Mar 2010 Threading:PTHREAD SSL:ENGINE,FIPS Auth:none Sockets:POLL,IPv6 Reading configuration from file /usr/local/etc/stunnel/stunnel.conf FIPS_mode_set: 2D06C06E: error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not match
*******************************************************************************
Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you receive this message in error, please notify the sender by reply email and delete the message immediately.