[stunnel-users] Configuring VeriSign certificate with STunnel

Zubair Ali Mansoor zubair at 01systems.net
Wed Dec 21 12:07:10 CET 2011


Hi, 

Here are steps how I created certificate request and private key. 

Generate private key
openssl genrsa -des3 -out server.key 2048

Generate certificate request
openssl req -new -key server.key -out server.csr

I submitted server.csr contents to VeriSign to get test certificate and they
provided me three certificates. 

VeriSign signed certificated 
Root certificate
Intermediate certificate

I copied VeriSign signed certificate in stunnel.pem and other two
certificates in ca.pem file. 

As per my observation STunnel is unable to load stunnel.pem file.

If you need VeriSign test certificate I can provide you that as well. Please
let me know if you need further information. 

Thanks,

Zubair

-----Original Message-----
From: stunnel-users-bounces at stunnel.org
[mailto:stunnel-users-bounces at stunnel.org] On Behalf Of
stunnel-users-request at stunnel.org
Sent: Wednesday, December 21, 2011 12:56 PM
To: stunnel-users at stunnel.org
Subject: stunnel-users Digest, Vol 89, Issue 18

Send stunnel-users mailing list submissions to
	stunnel-users at stunnel.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://stunnel.mirt.net/mailman/listinfo/stunnel-users
or, via email, send a message with subject or body 'help' to
	stunnel-users-request at stunnel.org

You can reach the person managing the list at
	stunnel-users-owner at stunnel.org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of stunnel-users digest..."


Today's Topics:

   1. Unable to make Stunnel on Solaris 10 (ted.pritchard at steria.co.uk)
   2. Incompatibility between openssl 1.0.0 and 0.9.8 which cause
      stunnel windows version malfunction. (ayanamist)
   3. Configuring VeriSign certificate with STunnel (Zubair Ali Mansoor)
   4. Re: Incompatibility between openssl 1.0.0 and 0.9.8 which
      cause stunnel windows version malfunction. (Ludovic LEVET)
   5. Re: Configuring VeriSign certificate with STunnel (Ludovic LEVET)


----------------------------------------------------------------------

Message: 1
Date: Tue, 20 Dec 2011 16:04:08 +0000
From: ted.pritchard at steria.co.uk
To: stunnel-users at stunnel.org
Subject: [stunnel-users] Unable to make Stunnel on Solaris 10
Message-ID:
	
<OFBAF4145D.79BD6AD7-ON8025796C.0056E111-8025796C.005844D7 at xansa.com>
Content-Type: text/plain; charset="us-ascii"

Hi,

I'm trying to compile and install Stunnel 4.47 on a Solaris 10 container. 
My GCC version is 3.4.3.  The problem is that I get the following error
during make

make gcc:unrecognized option: '-pthread'

Should I be able to compile Stunnel using this configuration or is there
some option I can use to make it work?

For interest, In the past using Stunnel 3.34 I've not had this problem so
something in the build process must have changed.

Many Thanks

Ted

This email originates from Steria*. It, and any attachments, may contain
confidential information and may be subject to copyright or other
intellectual property rights. It is only for the use of the addressee(s).
You may not copy, forward, disclose, save or otherwise use it in any way if
you are not the addressee(s) or responsible for delivery.
If you receive this email by mistake, please advise the sender and cancel it
immediately.
Steria may monitor the content of emails within its network to ensure
compliance with its policies and procedures.
Any email is susceptible to alteration and its integrity cannot be assured.
Steria shall not be liable if the message is altered, modified, falsified,
or edited.
_____________________________________________________
* Steria Limited, number 4077975;
Steria Recruitment Limited, number 1437998.
Registered in England and Wales; registered office Three Cherry Trees Lane,
Hemel Hempstead, Hertfordshire HP2 7AH
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://stunnel.mirt.net/pipermail/stunnel-users/attachments/20111220/a2ef35
bd/attachment-0001.html>

------------------------------

Message: 2
Date: Wed, 21 Dec 2011 16:16:04 +0800
From: ayanamist <ayanamist at gmail.com>
To: stunnel-users at stunnel.org
Subject: [stunnel-users] Incompatibility between openssl 1.0.0 and
	0.9.8 which cause stunnel windows version malfunction.
Message-ID:
	<CA+694GOfG4tC=QZ_csLipz1rLAhe4W=qrTJxVu__5U3akqgfDg at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

I generated a pair of key and certificates with openssl 1.0.0d, and use them
in stunnel 4.36.
Today i upgrade it to stunnel 4.50 and it doesnot work. All configurations
remain unmodified. Then i tested many versions and found, stunnel with
openssl 1.00 works fine while with openssl 0.98 does not work.
I use stunnel with linux server and windows client, stunnel 4.50 windows
version is using openssl 0.98, so cause this problem.
4.47 is using 1.00e which i think is newer than 0.98 bundled with 4.50.
So why stunnel keep changing openssl version?
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://stunnel.mirt.net/pipermail/stunnel-users/attachments/20111221/2a8693
19/attachment-0001.html>

------------------------------

Message: 3
Date: Wed, 21 Dec 2011 12:31:51 +0300
From: "Zubair Ali Mansoor" <zubair at 01systems.net>
To: <stunnel-users at stunnel.org>
Subject: [stunnel-users] Configuring VeriSign certificate with STunnel
Message-ID: <000f01ccbfc3$6d23c350$476b49f0$@01systems.net>
Content-Type: text/plain; charset="us-ascii"

Hi,

I got VeriSign Test SSL certificate. I have been trying to configure it with
STunnel. But there are errors in STunnel. I have placed private key and CA
signed certificate in a separate file named 'stunnel.pem'. Root and
Intermediate certificates have been placed in following order in a file
named 'ca.pem'

stunnel.pem

-----BEGIN RSA PRIVATE KEY-----
encrypted key
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
VeriSign signed certificate
-----END CERTIFICATE-----

ca.pem
-----BEGIN CERTIFICATE-----
VeriSign Intermediate CA Certificate
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
VeriSign Root CA Certificate
-----END CERTIFICATE-----

Here is stunnel.conf file. 

;key = server.key
cert = stunnel.pem

; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1

; Workaround for Eudora bug
;options = DONT_INSERT_EMPTY_FRAGMENTS

; Authentication stuff
verify = 2
; Don't forget to c_rehash CApath
;CApath = certs
; It's often easier to use CAfile
CAfile = ca.pem
;CAfile=zosIntermediate.pem
; Don't forget to c_rehash CRLpath
;CRLpath = crls
; Alternatively you can use CRLfile
;CRLfile = crls.pem

; Some debugging stuff useful for troubleshooting ;debug = 7 output =
stunnel.log

; Use it for client mode
client = no

I have also tried to change order of certificates but nothing is working.
Anyone have idea how it can work. Your cooperation will be highly
appreciated. 

Thanks,

Zubair

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://stunnel.mirt.net/pipermail/stunnel-users/attachments/20111221/31dd4a
9d/attachment-0001.html>

------------------------------

Message: 4
Date: Wed, 21 Dec 2011 10:52:42 +0100
From: Ludovic LEVET <llevet at ludosoft.org>
To: stunnel-users at stunnel.org
Subject: Re: [stunnel-users] Incompatibility between openssl 1.0.0 and
	0.9.8 which cause stunnel windows version malfunction.
Message-ID: <4EF1AC6A.1070206 at ludosoft.org>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"

Hi,

- For FIPS certification.
- Yes, crypted headers of certificates are differentes from openssl
0.9.8 and 1.0.0 like this :


openssl 1.0.0 key :

-----BEGIN ENCRYPTED PRIVATE KEY-----
MIIJnzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQI0Z45oYYRJ1cCAggA
MB0GCWCGSAFlAwQBAgQQF4QLI0IILDItqQFXHJeAxgSCCVBAo1Ed9BHwyhHeBzx2
rQELkAghar26CFsP7qvMwZ+vnATbArA2MvFWJWy0l2pl7/Rn7RcoztbSzg82c8IG
...

openssl 0.9.8 key :

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,327E4B06D51C7728

grestO9v2wfiqFwBy8bBbpNjMWpFrrc/9y8q68n6c48enCFyDsdVlyqToOQ+Razt
d98I+rkTow33X83e9+Zt8rGlKJlPXn3zHTKbjNhfc7j6kk+ssWJft5OAvu5NShMx
FOATl4pW97qCf1x4pFwQGm8/8MhCqOpqv2cLfjz2T4Egu1qP2sHZ35QU/gHBLHYh
...


Ludovic.


Le 21/12/2011 09:16, ayanamist a ?crit :
> I generated a pair of key and certificates with openssl 1.0.0d, and 
> use them in stunnel 4.36.
> Today i upgrade it to stunnel 4.50 and it doesnot work. All 
> configurations remain unmodified. Then i tested many versions and 
> found, stunnel with openssl 1.00 works fine while with openssl 0.98 
> does not work.
> I use stunnel with linux server and windows client, stunnel 4.50 
> windows version is using openssl 0.98, so cause this problem.
> 4.47 is using 1.00e which i think is newer than 0.98 bundled with 4.50.
> So why stunnel keep changing openssl version?
>
>
>
> _

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://stunnel.mirt.net/pipermail/stunnel-users/attachments/20111221/18114c
b7/attachment-0001.html>

------------------------------

Message: 5
Date: Wed, 21 Dec 2011 10:55:48 +0100
From: Ludovic LEVET <llevet at ludosoft.org>
To: stunnel-users at stunnel.org
Subject: Re: [stunnel-users] Configuring VeriSign certificate with
	STunnel
Message-ID: <4EF1AD24.7030104 at ludosoft.org>
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"

Hi,

Please provide us debug log info :

debug = 7
output = stunnel.log

Ludovic.


Le 21/12/2011 10:31, Zubair Ali Mansoor a ?crit :
>
> Hi,
>
> I got VeriSign Test SSL certificate. I have been trying to configure 
> it with STunnel. But there are errors in STunnel. I have placed 
> private key and CA signed certificate in a separate file named 
> 'stunnel.pem'. Root and Intermediate certificates have been placed in 
> following order in a file named 'ca.pem'
>
> stunnel.pem
>
> -----BEGIN RSA PRIVATE KEY-----
> encrypted key
> -----END RSA PRIVATE KEY-----
>
> -----BEGIN CERTIFICATE-----
> VeriSign signed certificate
> -----END CERTIFICATE-----
>
> ca.pem
> -----BEGIN CERTIFICATE-----
> VeriSign Intermediate CA Certificate
> -----END CERTIFICATE-----
>
> -----BEGIN CERTIFICATE-----
> VeriSign Root CA Certificate
> -----END CERTIFICATE-----
>
> Here is stunnel.conf file.
>
> ;key = server.key
> cert = stunnel.pem
>
> ; Some performance tunings
> socket = l:TCP_NODELAY=1
> socket = r:TCP_NODELAY=1
>
> ; Workaround for Eudora bug
> ;options = DONT_INSERT_EMPTY_FRAGMENTS
>
> ; Authentication stuff
> verify = 2
> ; Don't forget to c_rehash CApath
> ;CApath = certs
> ; It's often easier to use CAfile
> CAfile = ca.pem
> ;CAfile=zosIntermediate.pem
> ; Don't forget to c_rehash CRLpath
> ;CRLpath = crls
> ; Alternatively you can use CRLfile
> ;CRLfile = crls.pem
>
> ; Some debugging stuff useful for troubleshooting
> ;debug = 7
> output = stunnel.log
>
> ; Use it for client mode
> client = no
>
> I have also tried to change order of certificates but nothing is 
> working. Anyone have idea how it can work. Your cooperation will be 
> highly appreciated.
>
> Thanks,
>
> Zubair
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://stunnel.mirt.net/pipermail/stunnel-users/attachments/20111221/2c9f99
7f/attachment.html>

------------------------------

_______________________________________________
stunnel-users mailing list
stunnel-users at stunnel.org
http://stunnel.mirt.net/mailman/listinfo/stunnel-users


End of stunnel-users Digest, Vol 89, Issue 18
*********************************************




More information about the stunnel-users mailing list