[stunnel-users] Problems with Stunnel 4.5*
Sebastian Rose-Indorf
rose-indorf at gmx.de
Thu Dec 8 23:03:28 CET 2011
Hello Mike,
I can make only a statement about the Non-FIPS mode, because Stunnel 4.5*
starts only if "fips = no" is set (without Windows gives an error message).
I have tested both a RSA-SHA384/AES128 certificate/priv-key pair and a
RSA-RMD160/IDEA certificate/priv-key pair. Both does not work.
(SHA384/AES128 is validated by FIPS 140-2, but not provided by PKCS12. Could
it be due to it?)
Yours sincerely
Sebastian
> Sebastian Rose-Indorf wrote:
> > Stunnel 4.51b1 however
> > - starts only if "fips = no" is set;
> > - not accepts my certificate and my private key (SHA384 or RMD160,
> > AES128
> > or IDEA) any more:
> >
> > error queue: 140B0009: error:140B0009:SSL
> > routines:SSL_CTX_use_PrivateKey_file:PEM lib
> > error queue: 907B00D: error:0907B00D:PEM
> > routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib
> > error queue: 2306A075: error:2306A075:PKCS12
> > routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error
> > error queue: 23077073: error:23077073:PKCS12
> > routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error
> > SSL_CTX_use_PrivateKey_file: 6074079: error:06074079:digital envelope
> > routines:EVP_PBE_CipherInit:unknown pbe algorithm
>
> Do you mean that stunnel does not accept non-FIPS-approved algorithms
> in FIPS mode? I suppose this is something to to be expected...
>
> Or maybe you rather mean that in FIPS mode it does not start at all
> (what does it mean exactly?), and with FIPS mode turned off you still
> can't use non-FIPS algorithms?
>
> This essay may be helpful:
> http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
>
> BTW: While it's perfectly okay that OpenSSL doesn't accept IDEA as PBE
> algorithm (who would want to use IDEA, anyway), I'm surprised there
> are also problems with AES128. It might be a good idea to report it
> to openssl-users mailing list...
>
> Mike
More information about the stunnel-users
mailing list