Scott McKeown wrote:
# stunnel -version stunnel 4.53 on x86_64-unknown-linux-gnu platform Compiled/running with OpenSSL 1.0.0-fips 29 Mar 2010 Threading:PTHREAD SSL:+ENGINE+OCSP+FIPS Auth:none Sockets:POLL+IPv6
This version looks a bit strange, as the FIPS module for OpenSSL 1.x.x hasn't been released yet. http://www.openssl.org/docs/fips/fipsvalidation.html AFAIK the testing snapshots of FIPS 2.0 are clearly marked as such.
I tested: options = CIPHER_SERVER_PREFERENCE in my lab and it works just fine for me.
You may try to recompile stunnel with a fresh build of OpenSSL.
ciphers = RC4:HIGH:!MD5:!aNULL
RC4 is disabled in FIPS mode. You should disable it with: FIPS = no as a part of BEAST protection, or just use OpenSSL without FIPS support.
I'm looking to include the STunnel Product within our Loadbalancer Appliance in our next upcoming release but with everyone now using the SSL checker that I mentioned in one of my last e-Mails more customers are becoming concerned about MITM Attacks etc. so I would really like to get this solved before I move forward with the project.
<ad> As a vendor of a commercial product based on stunnel, you might consider using our commercial support for stunnel. http://eu.loadbalancer.org/support.php http://www.stunnel.org/?page=contact Although the commercial support can hardly beat the quality/price ratio of stunnel-users, your business may still benefit from priority access to our resources. </ad>
Mike