[stunnel-users] fips=no and slow performance problem

Owen Ching owen.ching at tapjoy.com
Thu Jan 12 02:07:16 CET 2012

I have a production system that uses stunnel and it's been working pretty
well. Mike, thanks for all your hard work.

But there has been a weird issue that I ran into a while ago and now it's
happening again.

we're using a rackspace cloud machine to run stunnel and haproxy. we're
using the x-forwarded-for stunnel patch for now with plans to upgrade to
send-proxy method once haproxy 1.5 is considered the stable branch.

So I built one machine and ran into the "FIPS_mode_set: 2D06C06E:
error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not match"
error message. So I changed the config to fips=no and stunnel started up
but the https seems really slow (multiple browsers). We run with
significant https volume. So the fips=no option didn't work for us. I kept
trying different things but nothing worked. I decided to start clean and
built a new machine. This time stunnel didn't throw the FIPS error and
everything performed great. So used the new machine instead.

Now after some time (over a year), we had some performance problems. we
rebooted the machine and now we have the FIPS error again. I've tried
multiple versions of stunnel (whatever I could find working patches for)
and also tried a clean 4.51 with no patches. all of them throw the FIPS
error now on this machine. I'm in the process of building a new machine to
see if it magically works again.

Any help or insight would be greatly appreciated.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120111/cf3f0d75/attachment.html>

More information about the stunnel-users mailing list