On Sun, Dec 21, 2014 at 10:26 AM, Michal Trojnara Michal.Trojnara@mirt.net wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Dec 18, 2014, at 08:27, H.U.Flück huf@inomatix.com wrote: The error thrown is something like: Dec 17 17:30:23 srvabas stunnel: LOG3[3385:140171595282368]: SSL_accept: 140760FC: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
What are we missing? Do we need to change the configuration?
I downloaded the source packages to identify the exact change they made. The only difference between the previous and the updated version is that the new one configures stunnel with:
configure --enable-fips --enable-ipv6 \ CPPFLAGS="-UPIDFILE -DPIDFILE='"%{_localstatedir}/run/stunnel.pid"'"
rather than:
configure --disable-fips --enable-ipv6 \ CPPFLAGS="-UPIDFILE -DPIDFILE='"%{_localstatedir}/run/stunnel.pid"'"
The update doesn't change anything in the source code of stunnel.
In stunnel 4.x FIPS mode is enabled by default. You may disable it with "fips = no". In order to get your configuration working without disabling FIPS mode you may also try "sslVersion = TLSv1".
Unfortunately, AFAICT there is no way to write a conf file that will reliably disable fips on the stunnel 4.x series. This issue is fixed in 5.0.
--Andy
Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iEYEARECAAYFAlSXEOoACgkQ/NU+nXTHMtFBIgCaAth7QWGcFm4kaCNtqW70mQcC RKEAoN8i3Eb+bf9Qy0zWiITVX2hGYY/z =5kyW -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users