[stunnel-users] [RFC,PATCH] Port stunnel to NSS
mitr at redhat.com
Tue Aug 28 02:40:46 CEST 2007
As a part of Fedora's atttempt to rely on a single, FIPS certified.
crypto implementation, I have prepared a port of stunnel to NSS,
activated by passing --with-nss to configure. The port relies on a
currently unreleased version of nss_compat_ossl.
The NSS interface is rather different from OpenSSL, and many options
that are configured explicitly by applications with OpenSSL are either
not available to applications with NSS, or configured using external
tools in a "NSS database", which stores certificates, private keys and
- The EGD (option "EGD") is not supported.
- "RSA support" (loading keys as "RSA PRIVATE KEY" instead of
"ANY PRIVATE KEY") is irrelevant, keys are stored in the NSS database
- DH key exchange is not supported for the server side
- compression (option "compression") is not supported
- OpenSSL engines (options "engine", "engineCtrl") are not supported;
PKCS#11 plugins are configured in the NSS database
- CRLs (options "CRLpath", "CRLfile") are not configured; all CRLs
stored in the NSS database are used automatically
- OCSP (options "OCSP", "OCSPflag") is not supported in the current
port; NSS supports OCSP, but a CA certificate must be specified along
with the OCSP URL.
- OpenSSL options (option "options") are not supported
- NTLM authentication for the "CONNECT" protocol is not supported
because NSS currently does not implement MD4
- certificates (option "cert") are stored in the NSS database; the
"cert" option contains a nickname of a certificate stored in the
- CA certificates (options "CApath", "CAfile") are stored in the NSS
- error_depth on certificate verification failure is not supported
To convert an existing stunnel set up to NSS, at minimum it is necessary to:
- select a NSS database directory, $SSL_DIR
$ certutil -d $SSL_DIR -N
- import server and CA certificates:
$ certutil -d $SSL_DIR -A -n server_cert_nickname -i server_cert.pem
- import server private key:
$ openssl pkcs12 -export -in server_key.pem -out server_key.pfx
$ pk12util -d $SSL_DIR -i server_key.pfx
- modify stunnel.conf to use "server_cert_nickname" instead of path to
"server_cert.pem" in "cert"
- when starting stunnel, make sure $SSL_DIR is present in the
I'm afraid the incompatibilities are large, but the current NSS design
really requires a database, and it does not work well with separate files.
We'd like to include this NSS port of stunnel in Fedora 8 (if it doesn't
prove to be too buggy).
I'll be grateful for any comments.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 21345 bytes
Desc: not available
More information about the stunnel-users