[stunnel-users] fips=no and slow performance problem
Michal Trojnara
Michal.Trojnara at mirt.net
Thu Jan 12 11:35:42 CET 2012
Owen Ching wrote:
> we're using a rackspace cloud machine to run stunnel and haproxy.
> we're using the x-forwarded-for stunnel patch for now with plans to
> upgrade to send-proxy method once haproxy 1.5 is considered the
> stable branch.
In my humble opinion it is more risky to use 3rd party patches to
stunnel, than to use development branch of haproxy. 8-)
> So I built one machine and ran into the "FIPS_mode_set: 2D06C06E:
> error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not
> match" error message.
Failed FIPS fingerprint verification indicates a problem with your
OpenSSL build rather than a problem with stunnel.
Make sure to read OpenSSL FIPS 140-2 User Guide before you compile
your OpenSSL in FIPS mode.
> So I changed the config to fips=no and stunnel started up but the
> https seems really slow (multiple browsers).
It's hard to say anything without your stunnel.conf, the output of
stunnel -version, and a sample of your log files.
Options with serious performance impact include:
- TIMEOUTclose (should be set to 0 to work properly with buggy
Microsoft SSL implementations)
- compression
- libwrap
Best regards,
Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120112/2b20843b/attachment.sig>
More information about the stunnel-users
mailing list