[stunnel-users] Is "fips=no" recommended?

Michal Trojnara Michal.Trojnara at mirt.net
Fri Oct 25 23:43:32 CEST 2013


On 2013-10-25 17:40, Ben Stover wrote:
> I stunnel.conf there is a parameter
>
> fips=no
>
> which is currently commented out here.
>
> Is it (resp. when is it) recommended to activate this parameter?

FIPS 140-2 is a special mode of OpenSSL required by some US
organizations for compliance reasons.  It does not improve security, and
essentially disables some non-compliant cryptographic algorithms (many
of them actually useful for security).  If you don't know what it is you
are most likely not required to use it.

In stunnel 4.x the default is to enable FIPS mode if stunnel was
compiled with FIPS-enabled OpenSSL.  In the upcoming stunnel 5.x the
default will be to disable FIPS mode.

Mike

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20131025/81795c39/attachment.sig>


More information about the stunnel-users mailing list