[stunnel-users] RHEL6 Update stunnel-4.29-3.el6_6.1 breaks functionality?

Andy Lutomirski luto at amacapital.net
Sun Dec 21 20:05:35 CET 2014


On Sun, Dec 21, 2014 at 10:26 AM, Michal Trojnara
<Michal.Trojnara at mirt.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>> On Dec 18, 2014, at 08:27, H.U.Fl├╝ck <huf at inomatix.com> wrote: The
>> error thrown is something like: Dec 17 17:30:23 srvabas stunnel:
>> LOG3[3385:140171595282368]: SSL_accept: 140760FC:
>> error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown
>> protocol
>>
>> What are we missing? Do we need to change the configuration?
>
> I downloaded the source packages to identify the exact change they made.
> The only difference between the previous and the updated version is
> that the new one configures stunnel with:
>
> configure --enable-fips --enable-ipv6 \
>   CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'"
>
> rather than:
>
> configure --disable-fips --enable-ipv6 \
>   CPPFLAGS="-UPIDFILE -DPIDFILE='\"%{_localstatedir}/run/stunnel.pid\"'"
>
> The update doesn't change anything in the source code of stunnel.
>
> In stunnel 4.x FIPS mode is enabled by default.  You may disable it
> with "fips = no".  In order to get your configuration working without
> disabling FIPS mode you may also try "sslVersion = TLSv1".

Unfortunately, AFAICT there is no way to write a conf file that will
reliably disable fips on the stunnel 4.x series.  This issue is fixed
in 5.0.

--Andy

>
> Mike
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iEYEARECAAYFAlSXEOoACgkQ/NU+nXTHMtFBIgCaAth7QWGcFm4kaCNtqW70mQcC
> RKEAoN8i3Eb+bf9Qy0zWiITVX2hGYY/z
> =5kyW
> -----END PGP SIGNATURE-----
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users



-- 
Andy Lutomirski
AMA Capital Management, LLC


More information about the stunnel-users mailing list