Hello Mike,
I can make only a statement about the Non-FIPS mode, because Stunnel 4.5* starts only if "fips = no" is set (without Windows gives an error message).
I have tested both a RSA-SHA384/AES128 certificate/priv-key pair and a RSA-RMD160/IDEA certificate/priv-key pair. Both does not work. (SHA384/AES128 is validated by FIPS 140-2, but not provided by PKCS12. Could it be due to it?)
Yours sincerely Sebastian
Sebastian Rose-Indorf wrote:
Stunnel 4.51b1 however
- starts only if "fips = no" is set;
- not accepts my certificate and my private key (SHA384 or RMD160,
AES128 or IDEA) any more:
error queue: 140B0009: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib error queue: 907B00D: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib error queue: 2306A075: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error error queue: 23077073: error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error SSL_CTX_use_PrivateKey_file: 6074079: error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm
Do you mean that stunnel does not accept non-FIPS-approved algorithms in FIPS mode? I suppose this is something to to be expected...
Or maybe you rather mean that in FIPS mode it does not start at all (what does it mean exactly?), and with FIPS mode turned off you still can't use non-FIPS algorithms?
This essay may be helpful: http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
BTW: While it's perfectly okay that OpenSSL doesn't accept IDEA as PBE algorithm (who would want to use IDEA, anyway), I'm surprised there are also problems with AES128. It might be a good idea to report it to openssl-users mailing list...
Mike