[stunnel-users] fips=no and slow performance problem

• Previous message (by thread): [stunnel-users] fips=no and slow performance problem
• Next message (by thread): [stunnel-users] fips=no and slow performance problem
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Owen Ching wrote:
> we're using a rackspace cloud machine to run stunnel and haproxy.  
> we're using the x-forwarded-for stunnel patch for now with plans to  
> upgrade to send-proxy method once haproxy 1.5 is considered the  
> stable branch.

In my humble opinion it is more risky to use 3rd party patches to  
stunnel, than to use development branch of haproxy.  8-)

> So I built one machine and ran into the "FIPS_mode_set: 2D06C06E:  
> error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not  
> match" error message.

Failed FIPS fingerprint verification indicates a problem with your  
OpenSSL build rather than a problem with stunnel.
Make sure to read OpenSSL FIPS 140-2 User Guide before you compile  
your OpenSSL in FIPS mode.

> So I changed the config to fips=no and stunnel started up but the  
> https seems really slow (multiple browsers).

It's hard to say anything without your stunnel.conf, the output of  
stunnel -version, and a sample of your log files.

Options with serious performance impact include:
  - TIMEOUTclose (should be set to 0 to work properly with buggy  
Microsoft SSL implementations)
  - compression
  - libwrap

Best regards,
	Mike

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120112/2b20843b/attachment.sig>

• Previous message (by thread): [stunnel-users] fips=no and slow performance problem
• Next message (by thread): [stunnel-users] fips=no and slow performance problem
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]