I have a production system that uses stunnel and it's been working pretty well. Mike, thanks for all your hard work.
But there has been a weird issue that I ran into a while ago and now it's happening again.
we're using a rackspace cloud machine to run stunnel and haproxy. we're using the x-forwarded-for stunnel patch for now with plans to upgrade to send-proxy method once haproxy 1.5 is considered the stable branch.
So I built one machine and ran into the "FIPS_mode_set: 2D06C06E: error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not match" error message. So I changed the config to fips=no and stunnel started up but the https seems really slow (multiple browsers). We run with significant https volume. So the fips=no option didn't work for us. I kept trying different things but nothing worked. I decided to start clean and built a new machine. This time stunnel didn't throw the FIPS error and everything performed great. So used the new machine instead.
Now after some time (over a year), we had some performance problems. we rebooted the machine and now we have the FIPS error again. I've tried multiple versions of stunnel (whatever I could find working patches for) and also tried a clean 4.51 with no patches. all of them throw the FIPS error now on this machine. I'm in the process of building a new machine to see if it magically works again.
Any help or insight would be greatly appreciated.
Thanks, Owen
Owen Ching wrote:
we're using a rackspace cloud machine to run stunnel and haproxy. we're using the x-forwarded-for stunnel patch for now with plans to upgrade to send-proxy method once haproxy 1.5 is considered the stable branch.
In my humble opinion it is more risky to use 3rd party patches to stunnel, than to use development branch of haproxy. 8-)
So I built one machine and ran into the "FIPS_mode_set: 2D06C06E: error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not match" error message.
Failed FIPS fingerprint verification indicates a problem with your OpenSSL build rather than a problem with stunnel. Make sure to read OpenSSL FIPS 140-2 User Guide before you compile your OpenSSL in FIPS mode.
So I changed the config to fips=no and stunnel started up but the https seems really slow (multiple browsers).
It's hard to say anything without your stunnel.conf, the output of stunnel -version, and a sample of your log files.
Options with serious performance impact include: - TIMEOUTclose (should be set to 0 to work properly with buggy Microsoft SSL implementations) - compression - libwrap
Best regards, Mike
Thanks for replying Mike. It turns out the FIPS performance wasn't really the issue. After turning on debugging and taking the time to carefully read through the stunnel.log output, it turns out the open file limit and max user process limit was choking the performance of stunnel. After adjusting the limits, performance has returned to acceptable levels. It does take a while for stunnel to "warm up" after a restart but after a minute or two, it seems to work just fine. Thanks again for replying.
Maybe as a suggestion, a quick note on the stunnel performance page would be nice. I did stumble across that page while searching for a fix and saw that stunnel should be able to handle the load it was getting. I just didn't know how to fix/tune it.
Thanks again! Owen
On Thu, Jan 12, 2012 at 2:35 AM, Michal Trojnara Michal.Trojnara@mirt.netwrote:
Owen Ching wrote:
we're using a rackspace cloud machine to run stunnel and haproxy. we're using the x-forwarded-for stunnel patch for now with plans to upgrade to send-proxy method once haproxy 1.5 is considered the stable branch.
In my humble opinion it is more risky to use 3rd party patches to stunnel, than to use development branch of haproxy. 8-)
So I built one machine and ran into the "FIPS_mode_set: 2D06C06E:
error:2D06C06E:FIPS routines:FIPS_mode_set:**fingerprint does not match" error message.
Failed FIPS fingerprint verification indicates a problem with your OpenSSL build rather than a problem with stunnel. Make sure to read OpenSSL FIPS 140-2 User Guide before you compile your OpenSSL in FIPS mode.
So I changed the config to fips=no and stunnel started up but the https
seems really slow (multiple browsers).
It's hard to say anything without your stunnel.conf, the output of stunnel -version, and a sample of your log files.
Options with serious performance impact include:
- TIMEOUTclose (should be set to 0 to work properly with buggy Microsoft
SSL implementations)
- compression
- libwrap
Best regards, Mike
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-
Michal Trojnara -
Owen Ching