[stunnel-users] patch for using stunnel as client with pkcs11-engine and opensc smartcard

• Previous message (by thread): [stunnel-users] Stunnel configuration to forward IP address
• Next message (by thread): [stunnel-users] patch for using stunnel as client with pkcs11-engine and opensc smartcard
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Dear stunnel users,

As there is no development/patches related this issue I made Wiki page
describing the problem and offering temporary solution/pathes:
http://martlaak.wikispaces.com/Stunnel+and+engine_pkcs11
PS! You can also download patched windows build from that page.

With best regards,
Märt Laak

On Sun, Oct 3, 2010 at 10:49 AM, Märt Laak <martlaak at gmail.com> wrote:

> Dear stunnel managers,
>
> I would like to inform you that there exist some incompatibility with
> stunnel and openssl pkcs11-engine with external PIN entry device (like RSA
> smartcard using opensc) in Linux.
>
> We use this config to load openssl engine stunnel.conf:
> ---
> engine=dynamic
> engineCtrl=SO_PATH:/usr/lib/**engines/engine_pkcs11.so
> engineCtrl=ID:pkcs11
> engineCtrl=LIST_ADD:1
> engineCtrl=LOAD
> engineCtrl=MODULE_PATH:/usr/**lib/opensc-pkcs11.so
> engineCtrl=INIT
> ---
>
> Problem is, with this setup stunnel does not allow user to enter PIN for
> the secret key.
> Instead it tries to get secret key without PIN, 3 times (and then
> therefore usually blocks card PIN) and retires:
> ----
> Initializing engine 1
> Engine 1 initialized
> PRNG seeded successfully
> Certificate: mart.pem
> Certificate loaded
> Key file: id_01
> error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_
> **key:failed loading private key
> error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN
> incorrect
> Wrong PIN: retrying
> error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_
> **key:failed loading private key
> error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN
> incorrect
> Wrong PIN: retrying
> error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_
> **key:failed loading private key
> ENGINE_load_private_key: 800050A0: error:800050A0:PKCS11
> library:PKCS11_login:PIN incorrect
> ----
>
> I discovered workaround that is valid form version 4.26 till current 4.34,
> as follows, NULL-ing the ui_data.method property in ctx.c:
> ---
> diff -cr stunnel-4.34/src/ctx.c stunnel-4.34-patched/src/ctx.c
> *** stunnel-4.34/src/ctx.c    2010-09-14 18:08:43.000000000 +0300
> --- stunnel-4.34-patched/src/ctx.c    2010-09-28 21:56:36.219081931 +0300
> ***************
> *** 304,309 ****
> --- 304,310 ----
>      UI_method_set_reader(ui_**method, pin_cb);
>  #else /* USE_WIN32 */
>      ui_method=UI_OpenSSL();
> +     ui_data.section = NULL;
>  #endif /* USE_WIN32 */
>      if(section->engine)
>          for(i=1; i<=3; i++) {
> ---
>
> After that patch private key loads correctly:
> ---
> Initializing engine 1
> Engine 1 initialized
> PRNG seeded successfully
> Certificate: mart.pem
> Certificate loaded
> Key file: id_01
> private key loaded
> ---
>
> It would be nice if:
> * somebody investigates more precisely why the OpenSSL PIN entry is not
> showing with unpached stunnel
> * include my or better patch for this situation
>
> Thank you very much for excellent piece of software!
>
> With best regards,
> Märt Laak
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20120129/723de9ac/attachment.html>

• Previous message (by thread): [stunnel-users] Stunnel configuration to forward IP address
• Next message (by thread): [stunnel-users] patch for using stunnel as client with pkcs11-engine and opensc smartcard
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]