[stunnel-users] FIPS_mode_set:fingerprint does not match

Jack www.lly at 126.com
Thu Mar 1 04:18:04 CET 2012

The following errors are generated during connection without fips on:
2012.02.29 19:11:48 LOG6[13546:139687476688640]: SSL accepted: new session negotiated
2012.02.29 19:11:48 LOG6[13546:139687476688640]: Negotiated ciphers: DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
2012.02.29 19:11:48 LOG6[13546:139687476688640]: Compression: zlib compression, expansion: zlib compression
2012.02.29 19:11:48 LOG6[13546:139687476688640]: connect_blocking: connecting
2012.02.29 19:11:48 LOG7[13546:139687476688640]: connect_blocking: s_poll_wait waiting 10 seconds
2012.02.29 19:11:48 LOG5[13546:139687476688640]: connect_blocking: connected
2012.02.29 19:11:48 LOG5[13546:139687476688640]: Service 3proxy connected remote server from
2012.02.29 19:11:48 LOG7[13546:139687476688640]: Remote FD=8 initialized
2012.02.29 19:11:48 LOG7[13546:139687476688640]: Socket closed on read
2012.02.29 19:11:48 LOG7[13546:139687476688640]: Sending close_notify alert
2012.02.29 19:11:48 LOG6[13546:139687476688640]: SSL_shutdown successfully sent close_notify alert
2012.02.29 19:11:48 LOG5[13546:139687476688640]: Error detected on SSL (read) file descriptor: Connection reset by peer (104)
Stunnel settings:
#Certificate/key is needed in server mode and optional in client mode
cert = /usr/local/etc/stunnel/stunnel.pem
key = /usr/local/etc/stunnel/stunnel.pem
#Authentication stuff
;CApath = /etc/stunnel/Trusted
;CRLpath =  /etc/stunnel/Revoked
CAfile = /usr/local/etc/stunnel/Trusted/Trusted.pem
verify = 0
#output  = /var/log/stunnel.log
debug = 7
foreground = yes
#Protocol version (all, SSLv2, SSLv3, TLSv1)
#sslVersion = SSLv3
options = NO_SSLv2
#Disable FIPS mode to allow non-approved protocols and algorithms
fips = no
#Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
compression = zlib
#These options provide additional security at some performance degradation
options = SINGLE_DH_USE
# Connections
accept = 30001
connect =
client = no
TIMEOUTidle = 1800
I have also try with different certificates, does not work either. I downloaded the cert and key from the server and start a server on my client computer, everything runs fine.
Thank you for replying and helping.
At 2012-03-01 10:25:52,"Jake Skinner" <Jake.Skinner at ontariosystems.com> wrote:

Have you tried disabling FIPS to see if your connection works without?

Jake Skinner
Telephony Technology Specialist
Ontario Systems, LLC
Office +1.765.751.7000

Thumbed posthaste from my mobile device; please forgive any typing or grammatical errors.

From: stunnel-users-bounces at stunnel.org
To: stunnel-users at stunnel.org
Sent: Wed Feb 29 19:41:02 2012
Subject: [stunnel-users] FIPS_mode_set:fingerprint does not match

I have the following problem running stunnel on Centos 6.x 64bit with the following error:

I have been search with google to see if there was a solution but nothing was found

Thank you for your reply and your help, hopefully I can get this solved.


Clients allowed=500
stunnel 4.52 on x86_64-unknown-linux-gnu platform
Compiled/running with OpenSSL 1.0.0-fips 29 Mar 2010
Threading:PTHREAD SSL:ENGINE,FIPS Auth:none Sockets:POLL,IPv6
Reading configuration from file /usr/local/etc/stunnel/stunnel.conf
FIPS_mode_set: 2D06C06E: error:2D06C06E:FIPS routines:FIPS_mode_set:fingerprint does not match


Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you receive this message in error, please notify the sender by reply email and delete the message immediately.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120301/9e6d21c6/attachment.html>

More information about the stunnel-users mailing list