[stunnel-users] Small challenge with version 4.26 and a commercial certificate

Leandro Avila leandro.avila at ymail.com
Wed Feb 17 16:11:16 CET 2010

Hi Kevin,

I think there is ambiguous information about this.
The man page states that the private key should be unencrypted
However, the changelog states that the support for pass phrases was fixed in v4.20

I'll do some testing see what I can find. Or maybe someone can shed some light on the issue.

Best regards

Leandro Avila

----- Original Message ----
From: editor <editor at cellmail.com>
To: stunnel-users at mirt.net
Sent: Sat, February 13, 2010 11:44:48 PM
Subject: [stunnel-users] Small challenge with version 4.26 and a commercial certificate


I decided to spend the money and get a commercial certificate from
Thawte. It was not a bad price. I have installed in the Sun host and
while it works perfectly for Apache but I can not get the file to work
for stunnel. The idea is to allow mobile users to access their mail
without annoying certificate warnings.

This is what happens:

# /usr/local/bin/stunnel &
[1] 13704
# Enter PEM pass phrase:
2010.02.14 05:32:46 LOG7[13704:1]: Snagged 64 random bytes from
2010.02.14 05:32:46 LOG7[13704:1]: Wrote 1024 new random bytes to
2010.02.14 05:32:46 LOG7[13704:1]: RAND_status claims sufficient entropy
for the PRNG
2010.02.14 05:32:46 LOG7[13704:1]: PRNG seeded successfully
2010.02.14 05:32:46 LOG7[13704:1]: Certificate:
2010.02.14 05:32:46 LOG7[13704:1]: Certificate loaded
2010.02.14 05:32:46 LOG7[13704:1]: Key file:
2010.02.14 05:32:46 LOG3[13704:1]: error stack: 140B3009 :
error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib
2010.02.14 05:32:46 LOG3[13704:1]: error stack: 906A068 :
error:0906A068:PEM routines:PEM_do_header:bad password read
2010.02.14 05:32:46 LOG3[13704:1]: SSL_CTX_use_RSAPrivateKey_file:
906406D: error:0906406D:PEM routines:PEM_def_callback:problems getting

[1]+  Exit 1                  /usr/local/bin/stunnel


It never pauses to let me enter the PEM pass phase. As in instructed in
the man pages, I created the pem file by merging the private key and the
certificate from Thawte.

This is the version statement:

# /usr/local/bin/stunnel -version
stunnel 4.26 on sparc-sun-solaris2.9 with OpenSSL 0.9.8l 5 Nov 2009

Global options
debug           = 5
pid             = /usr/local/var/run/stunnel/stunnel.pid
RNDbytes        = 64
RNDfile         = /dev/urandom
RNDoverwrite    = yes

Service-level options
cert            = /usr/local/etc/stunnel/stunnel.pem
ciphers         = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH
key             = /usr/local/etc/stunnel/stunnel.pem
session         = 300 seconds
stack           = 65536 bytes
sslVersion      = SSLv3 for client, all for server
TIMEOUTbusy     = 300 seconds
TIMEOUTclose    = 60 seconds
TIMEOUTconnect  = 10 seconds
TIMEOUTidle     = 43200 seconds
verify          = none


Any ideas would be great. Thanks.


stunnel-users mailing list
stunnel-users at mirt.net


More information about the stunnel-users mailing list