[stunnel-users] Problems with Stunnel 4.5*
Michal Trojnara
Michal.Trojnara at mirt.net
Thu Dec 8 22:31:20 CET 2011
Sebastian Rose-Indorf wrote:
> Stunnel 4.51b1 however
> - starts only if "fips = no" is set;
> - not accepts my certificate and my private key (SHA384 or RMD160,
> AES128
> or IDEA) any more:
>
> error queue: 140B0009: error:140B0009:SSL
> routines:SSL_CTX_use_PrivateKey_file:PEM lib
> error queue: 907B00D: error:0907B00D:PEM
> routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib
> error queue: 2306A075: error:2306A075:PKCS12
> routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error
> error queue: 23077073: error:23077073:PKCS12
> routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error
> SSL_CTX_use_PrivateKey_file: 6074079: error:06074079:digital envelope
> routines:EVP_PBE_CipherInit:unknown pbe algorithm
Do you mean that stunnel does not accept non-FIPS-approved algorithms
in FIPS mode? I suppose this is something to to be expected...
Or maybe you rather mean that in FIPS mode it does not start at all
(what does it mean exactly?), and with FIPS mode turned off you still
can't use non-FIPS algorithms?
This essay may be helpful: http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
BTW: While it's perfectly okay that OpenSSL doesn't accept IDEA as PBE
algorithm (who would want to use IDEA, anyway), I'm surprised there
are also problems with AES128. It might be a good idea to report it
to openssl-users mailing list...
Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20111208/7f90e7dc/attachment.sig>
More information about the stunnel-users
mailing list