[stunnel-users] stunnel-users Digest, Vol 176, Issue 3

• Previous message (by thread): [stunnel-users] FIPS mode not supported
• Next message (by thread): [stunnel-users] How to hide proxy password from config file
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

FIPS in stunnel and OpenSSL


The actual cause of the problem is OpenSSL v1.1.x does not support
FIPS engine and as such, you can only use a FIPS Compliant cipher
until FIPS is recertified as I understand it


Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmalley at loadbalancer.org

Leave a Review | Deployment Guides | Blog

Andruw Smalley

Loadbalancer.org Ltd.

www.loadbalancer.org
+1 888 867 9504 / +44 (0)330 380 1064
asmalley at loadbalancer.org

Leave a Review | Deployment Guides | Blog



On Mon, 4 Mar 2019 at 16:20, <stunnel-users-request at stunnel.org> wrote:
>
> Send stunnel-users mailing list submissions to
>         stunnel-users at stunnel.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> or, via email, send a message with subject or body 'help' to
>         stunnel-users-request at stunnel.org
>
> You can reach the person managing the list at
>         stunnel-users-owner at stunnel.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of stunnel-users digest..."
>
>
> Today's Topics:
>
>    1. FIPS mode not supported (Yan Renelt)
>    2. Re: FIPS mode not supported (mlrx)
>    3. Re: FIPS mode not supported (Flo Rance)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 4 Mar 2019 16:14:47 +0100
> From: Yan Renelt <reneltyan at gmail.com>
> To: stunnel-users at stunnel.org
> Subject: [stunnel-users] FIPS mode not supported
> Message-ID: <3F804E14-5218-42A5-9850-7AEBC0EF8F96 at gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> my config is
> cert = stunnel.pem
> socket = l:TCP_NODELAY=1
> socket = r:TCP_NODELAY=1
> debug = 7
>
> fips = yes
>
> [Demo-Trading]
> client = yes
> accept = 127.0.0.1:40001
> connect = fix-order.london-demo.lmax.com:443
> sslVersion = TLSv1
> options = NO_SSLv2
> options = NO_SSLv3
>
> [Demo ñ Market Data]
> client = yes
> accept = 127.0.0.1:40003
> connect = fix-marketdata.london-demo.lmax.com:443
> sslVersion = TLSv1
> options = NO_SSLv2
> options = NO_SSLv3
>
>
> and I still receiving this error.
>
> FIPS_mode_set: F06D065: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported
>
> Any suggestions? Fips = no is not an option for me.
>
>
> Thanks
>
> Yan
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190304/2b32d969/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 4 Mar 2019 17:15:30 +0100
> From: mlrx <stunnel.org at 18informatique.com>
> To: stunnel-users at stunnel.org
> Subject: Re: [stunnel-users] FIPS mode not supported
> Message-ID: <acfab10c-f42e-84b9-82b9-cf958281d0de at 18informatique.com>
> Content-Type: text/plain; charset=utf-8
>
> Le 04/03/2019 à 16:14, Yan Renelt a écrit :
> > Hi,
> Hi,
>
> > my config is
> > cert = stunnel.pem
> > socket = l:TCP_NODELAY=1
> > socket = r:TCP_NODELAY=1
> > debug = 7
> >
> > fips = yes
> >
> > [Demo-Trading]
> > client = yes
> > accept = 127.0.0.1:40001
> > connect = fix-order.london-demo.lmax.com:443
> > sslVersion = TLSv1
> Why do you use this one ?
> Isn't it better to use TLSv1.2 min.?
>
> > options = NO_SSLv2
> > options = NO_SSLv3
> >
> > [Demo ñ Market Data]
> > client = yes
> > accept = 127.0.0.1:40003
> > connect = fix-marketdata.london-demo.lmax.com:443
> > sslVersion = TLSv1
> > options = NO_SSLv2
> > options = NO_SSLv3
> >
> >
> > and I still receiving this error.
> >
> > FIPS_mode_set: F06D065: error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported
> >
> > Any suggestions? Fips = no is not an option for me.
> >
> >
> > Thanks
> >
> > Yan
>
> Witch OS ?
> Do you use `debug = 7` ? Some informations in ?
> On openBSD (for ex.), `rcctl -d start stunnel` could give you
> some useful informations.
>
> There is a sample of mine (client = no) :
> debug = 7
> output = stunnel.log
> sslVersion = TLSv1.2
> options = CIPHER_SERVER_PREFERENCE
> ciphers =
> ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384
> curve = secp384r1
>
>
> Regards,
> --
> mlrx
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 4 Mar 2019 17:19:38 +0100
> From: Flo Rance <trourance at gmail.com>
> To: Yan Renelt <reneltyan at gmail.com>
> Cc: stunnel-users at stunnel.org
> Subject: Re: [stunnel-users] FIPS mode not supported
> Message-ID:
>         <CAHogYcV=Uwb-nwOrH0w7w0b7vJvyfaBBCDQcOEGQXrxwXsw=PQ at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> You don't give much details on which environment is installed stunnel, but
> it seems that it has been compiled with a version of openssl that doesn't
> have fips object module.
>
> Flo
>
> On Mon, Mar 4, 2019 at 4:15 PM Yan Renelt <reneltyan at gmail.com> wrote:
>
> > Hi,
> >
> > my config is
> > cert = stunnel.pem
> > socket = l:TCP_NODELAY=1
> > socket = r:TCP_NODELAY=1
> > debug = 7
> >
> > fips = yes
> >
> > [Demo-Trading]
> > client = yes
> > accept = 127.0.0.1:40001
> > connect = fix-order.london-demo.lmax.com:443
> > sslVersion = TLSv1
> > options = NO_SSLv2
> > options = NO_SSLv3
> >
> > [Demo ñ Market Data]
> > client = yes
> > accept = 127.0.0.1:40003
> > connect = fix-marketdata.london-demo.lmax.com:443
> > sslVersion = TLSv1
> > options = NO_SSLv2
> > options = NO_SSLv3
> >
> >
> > and I still receiving this error.
> >
> > FIPS_mode_set: F06D065: error:0F06D065:common libcrypto
> > routines:FIPS_mode_set:fips mode not supported
> >
> > Any suggestions? Fips = no is not an option for me.
> >
> >
> > Thanks
> >
> > Yan
> > _______________________________________________
> > stunnel-users mailing list
> > stunnel-users at stunnel.org
> > https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190304/02022c79/attachment.html>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
>
> ------------------------------
>
> End of stunnel-users Digest, Vol 176, Issue 3
> *********************************************

• Previous message (by thread): [stunnel-users] FIPS mode not supported
• Next message (by thread): [stunnel-users] How to hide proxy password from config file
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]