Description of problem: stunnel service will not start without "fips = no" in /etc/stunnel/stunnel.conf file Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: Clean install of Mageia-4-alpha1-LiveDVD-KDE4-x86_64-DVD.iso. Default runlevel: 3 Package Group Selection screen has all package groups selected except Other Graphical Desktops. non-free and tainted media are enabled. Followed with: remove-unused-packages urpmi --downloader wget --auto --auto-update urpme --auto-orphans and reboot. 1. make these changes to /etc/stunnel/stunnel.conf fips = no <==== add this line above ; Example SSL server mode services [pop3s] accept = 999 <==== change connect = 119 <==== change ;[imaps] <==== change ;accept = 993 <==== change ;connect = 143 <==== change ;[ssmtp] <==== change ;accept = 465 <==== change ;connect = 25 <==== change 2. systemctl restart stunnel.service should work 3. remove fips = no 4. systemctl restart stunnel.service should fail Workaround: add fips = no Reproducible: Steps to Reproduce:
CC: (none) => guillomovitch, mageia
Keywords: (none) => TriagedCC: (none) => dan
CC: (none) => junknospam
CC: (none) => cooker
Thanks Bit Twister. Bug confirmed with an upgrade from m3 to m4 final. The workaround, of adding "fips = no" fixes the problem.
CC: (none) => davidwhodgins
Version: Cauldron => 4
*** Bug 13124 has been marked as a duplicate of this bug. ***
CC: (none) => eeeemail
I just submitted stunnel-4.56-3.3.mga4 in updates_testing, with FIPS mode support disabled at build time.
Verified workaround is not required in release 5.
Summary: 4_a1: stunnel service will not start without "fips = no" in conf file => stunnel service will not start without "fips = no" in conf file
(In reply to Guillaume Rousse from comment #3) > I just submitted stunnel-4.56-3.3.mga4 in updates_testing, with FIPS mode > support disabled at build time. Was that meant to be assigned to QA as an update? It looks like it never was.
Indeed, it was an error of mine. Suggested advisory: The stunnel package (stunnel-4.56-2) shipped in Mageia 4 was build to use FIPS compliance mode by defaut, requesting a specific feature unavailable in the openssl package. As a consequence, this execution mode had to be explicitely disabled in configuration for stunnel to work. A new package release (stunnel-4.56-3.3), available in updates_testing, fixes this issue by explicitly disabling support for this non-working FIPS compliance mode.
Status: NEW => ASSIGNEDAssignee: bugsquad => qa-bugs
Advisory committed to svn and validating the update.
Keywords: (none) => validated_updateWhiteboard: (none) => MGA4-64-OK advisoryCC: (none) => sysadmin-bugs
unvalidating as there is no stunnel-4.56-3.3 (actually no stunnel package at all) in 4 core updates_testing
Keywords: validated_update => (none)CC: (none) => tmb
Whiteboard: MGA4-64-OK advisory => advisory feedback
$ rpm -qa|grep stunnel stunnel-4.56-3.3.mga4 It's not in my local repo now though, so it must have been removed. Guillaume, Any idea what's going on with stunnel?
Guillaume ping
I just submitted stunnel-4.56-3.3.mga4 again.
I tested stunnel-4.56-3.3.mga4.i586 with popa3d, and it works once the fips=no line is completely removed from the popa3d config file. I'll fix that in Cauldron as it's not shipped in mga4 or mga5.
I just realized I made a wrong assumption about the stunnel version in Cauldron, but I'll make sure popa3d is still working there separately.
Any change to make to the advisory before I validate it again? http://svnweb.mageia.org/advisories/11000.adv?view=markup
Whiteboard: advisory feedback => advisory feedback MGA4-64-OK
I fixed a couple of typos but it looks fine now.
Keywords: (none) => validated_updateWhiteboard: advisory feedback MGA4-64-OK => advisory MGA4-64-OK
An update for this issue has been pushed to Mageia Updates repository. http://advisories.mageia.org/MGAA-2015-0079.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED