Sebastian Rose-Indorf wrote:
Stunnel 4.51b1 however
- starts only if "fips = no" is set;
- not accepts my certificate and my private key (SHA384 or RMD160,
AES128 or IDEA) any more:
error queue: 140B0009: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib error queue: 907B00D: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib error queue: 2306A075: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error error queue: 23077073: error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error SSL_CTX_use_PrivateKey_file: 6074079: error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm
Do you mean that stunnel does not accept non-FIPS-approved algorithms in FIPS mode? I suppose this is something to to be expected...
Or maybe you rather mean that in FIPS mode it does not start at all (what does it mean exactly?), and with FIPS mode turned off you still can't use non-FIPS algorithms?
This essay may be helpful: http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
BTW: While it's perfectly okay that OpenSSL doesn't accept IDEA as PBE algorithm (who would want to use IDEA, anyway), I'm surprised there are also problems with AES128. It might be a good idea to report it to openssl-users mailing list...
Mike