On 2013-10-25 17:40, Ben Stover wrote:

I stunnel.conf there is a parameter

fips=no

which is currently commented out here.

Is it (resp. when is it) recommended to activate this parameter?

FIPS 140-2 is a special mode of OpenSSL required by some US organizations for compliance reasons. It does not improve security, and essentially disables some non-compliant cryptographic algorithms (many of them actually useful for security). If you don't know what it is you are most likely not required to use it.

In stunnel 4.x the default is to enable FIPS mode if stunnel was compiled with FIPS-enabled OpenSSL. In the upcoming stunnel 5.x the default will be to disable FIPS mode.

Mike