Owen Ching wrote:
we're using a rackspace cloud machine to run stunnel and haproxy. we're using the x-forwarded-for stunnel patch for now with plans to upgrade to send-proxy method once haproxy 1.5 is considered the stable branch.
In my humble opinion it is more risky to use 3rd party patches to stunnel, than to use development branch of haproxy. 8-)
So I built one machine and ran into the "FIPS_mode_set: 2D06C06E: error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not match" error message.
Failed FIPS fingerprint verification indicates a problem with your OpenSSL build rather than a problem with stunnel. Make sure to read OpenSSL FIPS 140-2 User Guide before you compile your OpenSSL in FIPS mode.
So I changed the config to fips=no and stunnel started up but the https seems really slow (multiple browsers).
It's hard to say anything without your stunnel.conf, the output of stunnel -version, and a sample of your log files.
Options with serious performance impact include: - TIMEOUTclose (should be set to 0 to work properly with buggy Microsoft SSL implementations) - compression - libwrap
Best regards, Mike