[stunnel-users] Problems with Stunnel 4.5*

Mon Dec 12 12:32:59 CET 2011

Hi,

Yes, openssl 0.9.8 will support SHA2 normaly.
But the mistake here is to generate a crypted private key.
Stunnel support only no crypted private key. it can't ask you passphrase.

Try with :

openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out key.pem

Ludovic.

Le 11/12/2011 23:39, Sebastian Rose-Indorf a écrit :
> Hello,
>
> many thanks for your answer.
>
>> And convert your PKCS12 couple key/cert to PEM format
> Convert? I've generated my certificate/priv-key pair by:
> openssl genpkey -algorithm RSA -aes128 -pkeyopt rsa_keygen_bits:4096 -out
> key.pem
> openssl req -new -x509 -sha384 -priv_key.pem -verify -config openssl.conf
> -out cert.pem
>
> And with Stunnel 4.47 (OpenSSL 1.0) there are no problems.
>
>> Then for compatible ciphers choose,this is the build in in openssl of
>> stunnel 4.50 or 4.51 :
>> ...
>> AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
> "AES128-SHA" means SHA1 and not SHA2 (e.g. SHA384), right?
> Stunnel 4.5* (OpenSSL 0.9.8-fips) would therefore support only SHA1 (and
> MD5). This would be very a pity because SHA1 is contested.
>
> Is FIPS really so important that a Downgrade of OpenSSL from 1.0 on 0.9.8 is
> acceptable?
>
> Regards
> Sebastian
>
>
>> Hi,
>>
>> Your log said there is a problem with your cert/key.
>>
>> Your certificate/priv-key pair must be in RSA or DSA format key.
>>
>> IDEA and RSA are part of ciphers, not part of key/cert.
>>
>> Use openssl given to you to make this manipations :
>> - Open CMD windows with administrator right
>> - cd C:\Program Files (x86)\stunnel
>>
>>
>> And convert your PKCS12 couple key/cert to PEM format by this :
>>
>> # export certificate and passphrase-less key
>> openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes
>>
>> # same as above, but you'll be prompted for a passphrase for
>> # the private key
>> openssl pkcs12 -in mycert.pfx -out mycert.pem
>>
>>
>> Then verify that you PEM file is valid by that :
>>
>> openssl verify mycert.pem
>>
>> If it is ok, then put in your stunnel.conf
>> cert = mycert.pem
>>
>> And Retry.
>>
>>
>> Then for compatible ciphers choose,this is the build in in openssl of
>> stunnel 4.50 or 4.51 :
>>
>>
>> C:\>cd C:\Program Files (x86)\stunnel
>>
>> C:\Program Files (x86)\stunnel>openssl.exe ciphers -v
>> DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
>> DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
>> AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
>> EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
>> EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
>> DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
>> DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
>> DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
>> DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
>> AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
>> IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
>> IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5
>> RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
>> RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
>> RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
>> RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
>> EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
>> EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
>> DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
>> DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
>> EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1
>> export
>> EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1
>> export
>> EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
>> EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
>> EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
>> EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
>> EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
>>
>>
>>
>>
>> Ludovic.
>>
>>
>>> Hello Mike,
>>>
>>> I can make only a statement about the Non-FIPS mode, because Stunnel
>> 4.5*
>>> starts only if "fips = no" is set (without Windows gives an error
>> message).
>>> I have tested both a RSA-SHA384/AES128 certificate/priv-key pair and
>> a
>>> RSA-RMD160/IDEA certificate/priv-key pair. Both does not work.
>>> (SHA384/AES128 is validated by FIPS 140-2, but not provided by
>> PKCS12. Could
>>> it be due to it?)
>>>
>>> Yours sincerely
>>> Sebastian
>>>
>>>> Sebastian Rose-Indorf wrote:
>>>>> Stunnel 4.51b1 however
>>>>> - starts only if "fips = no" is set;
>>>>> - not accepts my certificate and my private key (SHA384 or RMD160,
>>>>> AES128
>>>>> or IDEA) any more:
>>>>>
>>>>> error queue: 140B0009: error:140B0009:SSL
>>>>> routines:SSL_CTX_use_PrivateKey_file:PEM lib
>>>>> error queue: 907B00D: error:0907B00D:PEM
>>>>> routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib
>>>>> error queue: 2306A075: error:2306A075:PKCS12
>>>>> routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error
>>>>> error queue: 23077073: error:23077073:PKCS12
>>>>> routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error
>>>>> SSL_CTX_use_PrivateKey_file: 6074079: error:06074079:digital
>> envelope
>>>>> routines:EVP_PBE_CipherInit:unknown pbe algorithm
>>>> Do you mean that stunnel does not accept non-FIPS-approved
>> algorithms
>>>> in FIPS mode?  I suppose this is something to to be expected...
>>>>
>>>> Or maybe you rather mean that in FIPS mode it does not start at all
>>>> (what does it mean exactly?), and with FIPS mode turned off you
>> still
>>>> can't use non-FIPS algorithms?
>>>>
>>>> This essay may be helpful:
>>>> http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
>>>>
>>>> BTW: While it's perfectly okay that OpenSSL doesn't accept IDEA as
>> PBE
>>>> algorithm (who would want to use IDEA, anyway), I'm surprised there
>>>> are also problems with AES128.  It might be a good idea to report it
>>>> to openssl-users mailing list...
>>>>
>>>> Mike
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org
>> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
>