[stunnel-users] FIPS_mode_set:fingerprint does not match

Jack www.lly at 126.com
Thu Mar 1 04:18:04 CET 2012


The following errors are generated during connection without fips on:
 
2012.02.29 19:11:48 LOG6[13546:139687476688640]: SSL accepted: new session negotiated
2012.02.29 19:11:48 LOG6[13546:139687476688640]: Negotiated ciphers: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
2012.02.29 19:11:48 LOG6[13546:139687476688640]: Compression: zlib compression, expansion: zlib compression
2012.02.29 19:11:48 LOG6[13546:139687476688640]: connect_blocking: connecting 127.0.0.1:30010
2012.02.29 19:11:48 LOG7[13546:139687476688640]: connect_blocking: s_poll_wait 127.0.0.1:30010: waiting 10 seconds
2012.02.29 19:11:48 LOG5[13546:139687476688640]: connect_blocking: connected 127.0.0.1:30010
2012.02.29 19:11:48 LOG5[13546:139687476688640]: Service 3proxy connected remote server from 127.0.0.1:52872
2012.02.29 19:11:48 LOG7[13546:139687476688640]: Remote FD=8 initialized
2012.02.29 19:11:48 LOG7[13546:139687476688640]: Socket closed on read
2012.02.29 19:11:48 LOG7[13546:139687476688640]: Sending close_notify alert
2012.02.29 19:11:48 LOG6[13546:139687476688640]: SSL_shutdown successfully sent close_notify alert
2012.02.29 19:11:48 LOG5[13546:139687476688640]: Error detected on SSL (read) file descriptor: Connection reset by peer (104)
-----------------------------------------
Stunnel settings:
-----------------------------------------
#Certificate/key is needed in server mode and optional in client mode
cert = /usr/local/etc/stunnel/stunnel.pem
key = /usr/local/etc/stunnel/stunnel.pem
#
#Authentication stuff
;CApath = /etc/stunnel/Trusted
;CRLpath =  /etc/stunnel/Revoked
CAfile = /usr/local/etc/stunnel/Trusted/Trusted.pem
verify = 0
#
#Log
#output  = /var/log/stunnel.log
debug = 7
foreground = yes
#
#Protocol version (all, SSLv2, SSLv3, TLSv1)
#sslVersion = SSLv3
options = NO_SSLv2
#
#Disable FIPS mode to allow non-approved protocols and algorithms
fips = no
#
#Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
options = DONT_INSERT_EMPTY_FRAGMENTS
compression = zlib
#
#These options provide additional security at some performance degradation
options = SINGLE_ECDH_USE
options = SINGLE_DH_USE
#
# Connections
[3proxy]
accept = 30001
connect = 127.0.0.1:30010
client = no
TIMEOUTidle = 1800
----------------------------------------
 
 
I have also try with different certificates, does not work either. I downloaded the cert and key from the server and start a server on my client computer, everything runs fine.
 
Thank you for replying and helping.
 
At 2012-03-01 10:25:52,"Jake Skinner" <Jake.Skinner at ontariosystems.com> wrote:


Have you tried disabling FIPS to see if your connection works without?

Jake Skinner
Telephony Technology Specialist
Ontario Systems, LLC
Office +1.765.751.7000


Thumbed posthaste from my mobile device; please forgive any typing or grammatical errors.


From: stunnel-users-bounces at stunnel.org
To: stunnel-users at stunnel.org
Sent: Wed Feb 29 19:41:02 2012
Subject: [stunnel-users] FIPS_mode_set:fingerprint does not match


I have the following problem running stunnel on Centos 6.x 64bit with the following error:

I have been search with google to see if there was a solution but nothing was found

Thank you for your reply and your help, hopefully I can get this solved.

********************************************************************************

Clients allowed=500
stunnel 4.52 on x86_64-unknown-linux-gnu platform
Compiled/running with OpenSSL 1.0.0-fips 29 Mar 2010
Threading:PTHREAD SSL:ENGINE,FIPS Auth:none Sockets:POLL,IPv6
Reading configuration from file /usr/local/etc/stunnel/stunnel.conf
FIPS_mode_set: 2D06C06E: error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not match

*******************************************************************************







Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you receive this message in error, please notify the sender by reply email and delete the message immediately.

  ­­  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120301/9e6d21c6/attachment.html>


More information about the stunnel-users mailing list