[stunnel-users] Please allow fips=no even if !USE_FIPS

Andy Lutomirski luto at amacapital.net
Mon Mar 10 20:14:26 CET 2014


It's currently impossible to make a stunnel config file that works
with reasonable settings on both a USE_FIPS build (e.g. Fedora) and a
!USE_FIPS build (e.g. Ubuntu).  This is because, if USE_FIPS, fips
defaults to "yes" (which is, for most purposes, a serious problem)
and, if !USE_FIPS, the setting 'fips=no' prevents stunnel from
starting.

I've observed this on stunnel 4.53, and it looks like the same issue
exists in the source in stunnel 4.56 and 5.00.

(Note that, if targetting stunnel 5.00, this is less of an issue,
since the default value of 'fips' changed.  Nonetheless, it would be
nice to accept 'fips=no' to avoid surprises.)

Thanks,
Andy


More information about the stunnel-users mailing list