[stunnel-users] Configure Error

Kenway Ng kenwayng at gmail.com
Wed Apr 19 17:20:16 CEST 2017


So lets say I was able to compile stunnel 5.x with openssl 1.02 on a brand
new box RH6.  Could I take the newly compiled version of stunnel 5.x and
use it on my RH5 box that currently running 0.98 openssl ?  Will that work ?

On Fri, Apr 14, 2017 at 9:56 AM, Josealf.rm <josealf at rocketmail.com> wrote:

> I backported the redhat/centos 6.x OpenSSL rpm package to 5.x. It is
> running fine on centos 5 32bits. I can provide you the source rpm and you
> can recompile on your 64bit Os.
>
> Saludos
> Jose Alfredo Diaz
> Cerrejón
>
>
> On Apr 13, 2017, at 5:08 PM, Rob Lockhart <rlockhar at gmail.com> wrote:
>
> One more good link:
> https://wiki.openssl.org/index.php/Compilation_and_Installation
> Be sure to read the parts about the --prefix and --openssldir compiler
> directives. The FIPS mode puts restrictions on some keys (prohibiting weak
> ones), but IIRC you can do the same with proper config files too.
>
> Good luck!
>
> On Thu, Apr 13, 2017 at 5:32 PM, Kenway Ng <kenwayng at gmail.com> wrote:
>
>> Thanks Rob.  Appreciate the information.
>>
>> On Thu, Apr 13, 2017, 4:28 PM Rob Lockhart <rlockhar at gmail.com> wrote:
>>
>>> According to this:
>>> https://access.redhat.com/support/policy/updates/errata
>>>
>>> RHEL5 is out of support as of 3/31/2017 for patches, except for security
>>> patching. No new features will be added to RHEL5, to include TLS v1.1
>>> support (requires OpenSSL 1.0.x).
>>>
>>> First compile OpenSSL 1.0.2 (in a different path), then compile Stunnel
>>> (5.41) using the /usr/local for the prefix (per previous links), and
>>> perhaps some other switches too (based on info from those URLs).
>>>
>>> From the links I found, you can have multiple versions of OpenSSL, but
>>> you have to link to one when compiling Stunnel. The one you choose when
>>> compiling Stunnel will want to be the newer one you compiled. IMHO, I would
>>> migrate your RHEL5 to RHEL6 or RHEL7, but that may be considerably more
>>> difficult than just compiling OpenSSL and Stunnel.
>>>
>>> ​ -Rob​
>>>
>>> On Thu, Apr 13, 2017 at 4:15 PM, Kenway Ng <kenwayng at gmail.com> wrote:
>>>
>>>> Please let me know if I am completely off.  The version of openssl we
>>>> are running is 0.9.8e-fips-rhel5 01 Jul 2008.   So if we want version
>>>>  TLS1.1+ then we need to recompile the STUNNEL src with an updated version
>>>> of openssl we are running on our server.  Something higher than 0.9.8.   Is
>>>> that right ?  Is it possible to find a version that was already compiled
>>>> with a higher version of openssl ?
>>>>
>>>> On Wed, Apr 12, 2017 at 5:49 PM, Rob Lockhart <rlockhar at gmail.com>
>>>> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Wed, Apr 12, 2017 at 5:22 PM, Kenway Ng <kenwayng at gmail.com> wrote:
>>>>>
>>>>>>
>>>>>> I am trying to upgrade our version of stunnel.  Our SME left and now
>>>>>> I am trying to upgrade stunnel to fix a vulnerability .  I am being told to
>>>>>> use TLS1.1 or higher
>>>>>>
>>>>>> $ ./stunnel -version
>>>>>>
>>>>>> stunnel 4.15 on x86_64-redhat-linux-gnu with OpenSSL
>>>>>> 0.9.8e-fips-rhel5 01 Jul 2008
>>>>>>
>>>>>> Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> ​I don't have RHEL5 64-bit but these links may help:
>>>>>
>>>>> https://miteshshah.github.io/linux/centos/how-to-enable-open
>>>>> ssl-1-0-2-a-tlsv1-1-and-tlsv1-2-on-centos-5-and-rhel5/
>>>>>
>>>>> http://serverfault.com/questions/296765/cannot-find-ssl-
>>>>> libraries-when-configuring-stunnel​
>>>>>
>>>>> ​These links involve re-compiling OpenSSL and Stunnel, in that order.
>>>>> I would opt for OpenSSL 1.0.2k (latest as of 20170412) since 1.0.1 and
>>>>> below are all EOL as of 12/31/2016. OpenSSL 0.9.8 supports only TLS v1.0​,
>>>>> whereas OpenSSL 1.0.1 supports TLS v1.0, v1.1 and v1.2.
>>>>>
>>>>>  -Rob
>>>>>
>>>>
>>>>
>>> _______________________________________________
>>> stunnel-users mailing list
>>> stunnel-users at stunnel.org
>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>>
>>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20170419/0ed154ee/attachment.html>


More information about the stunnel-users mailing list