[stunnel-users] Problems when using PSK between a version of stunnel usingopenssl 1.0 and a version of stunnel using openssl 1.1.1
Hannah Koperberg
hannah.koperberg at gmail.com
Tue Sep 17 18:18:13 CEST 2019
We encounter problems when using PSK between a version of stunnel using openssl 1.0 and a version of stunnel using openssl 1.1.1
The problem being the following:
2019.09.16 13:36:28 LOG6[3]: PSK identity not found (session resumption?)
2019.09.16 13:36:28 LOG7[3]: TLS alert (write): fatal: unknown PSK identity
2019.09.16 13:36:28 LOG3[3]: SSL_accept: s3_srvr.c:2845: error:1408B0DF:SSL routines:ssl3_get_client_key_exchange:psk identity not found
No problems are encountered when using certificates or when the same versions of stunnel and openssl are used.
In the latter case neither certificates nor PSK give any problems connecting.
I am sorry if this has been posted before (could not find a similar question)
Can anyone help me with this, please?
We seem to be getting problems with PSK only when using openssl 1.0 versus openssl 1.1
The openssl and stunnel versions involved are:
OLD OPENSSL USE SET-UP:
openssl version
OpenSSL 1.0.2r 26 Feb 2019
stunnel -version
stunnel 5.55 on powerpc-ibm-aix7.2.2.0 platform
Compiled/running with OpenSSL 1.0.2r 26 Feb 2019
Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
Global options:
RNDbytes = 1024
RNDfile = /dev/urandom
RNDoverwrite = yes
Service-level options:
ciphers = FIPS (with "fips = yes")
ciphers = HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK (with "fips = no")
curves = prime256v1
debug = daemon.notice
logId = sequential
options = NO_SSLv2
options = NO_SSLv3
sessionCacheSize = 1000
sessionCacheTimeout = 300 seconds
stack = 65536 bytes
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
verify = none
NEW OPENSSL USE SET-UP:
openssl version
OpenSSL 1.1.1c 28 May 2019
Stunnel -version
stunnel 5.54 on powerpc-ibm-aix7.2.2.0 platform
Compiled/running with OpenSSL 1.1.1c 28 May 2019
Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
Global options:
RNDbytes = 1024
RNDfile = /dev/urandom
RNDoverwrite = yes
Service-level options:
ciphers = FIPS (with "fips = yes")
ciphers = HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK (with "fips = no")
ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 (with TLSv1.3)
curves = X25519:P-256:X448:P-521:P-384
debug = daemon.notice
logId = sequential
options = NO_SSLv2
options = NO_SSLv3
sessionCacheSize = 1000
sessionCacheTimeout = 300 seconds
stack = 65536 bytes
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
verify = none
Both stunnel versions run on the same AIX platform (Identical OS)
The setups are:
SERVER SET-UP FOR STUNNEL USING OPENSSL 1.0.2.R :
debug = debug
syslog = no
output = /path/to/logfile
log = append
pid = /path/to/pidfile
cert = /path/to/cert
key = /path/to/key
CAFile = /path/to/CAfile
CAPath = /path/to/CAdir
PSKsecrets = /path/to/PSKfile
[HkListenerSSL]
client = no
verifyChain = yes
verifyPeer = yes
accept = 0.0.0.0:9999
connect = localhost:25250
[HkListenerPSKO012]
client = no
accept = 0.0.0.0:9998
connect = localhost:25250
ciphers = PSK
CLIENT SET-UP FOR STUNNEL USING OPENSSL 1.0.2.R :
debug = debug
syslog = no
output = /path/to/logfile
log = append
pid = /path/to/pidfile
cert = /path/to/cert
key = /path/to/key
CAFile = /path/to/CAfile
CAPath = /path/to/CAdir
PSKsecrets = /path/to/PSKfile
[HkListenerSSL]
client = yes
verifyChain = yes
verifyPeer = yes
accept = 0.0.0.0:1119
connect = localhost:9999
[HkListenerPSKO013]
client = yes
accept = 0.0.0.0:1118
connect = localhost:9998
ciphers = PSK
PSKFile for server and client content:
HkListenerPSKO012:ZOOzMLROn5+Xy6PJ/lwnCgy5lq+Ak7OhOFS2s6vj4OU
HkListenerPSKO013:ZOOzMLROn5+Xy6PJ/lwnCgy5lq+Ak7OhOFS2s6vj4OU
SERVER SET-UP FOR STUNNEL USING OPENSSL 1.1.1.c :
debug = debug
syslog = no
output = /path/to/logfile
log = append
pid = /path/to/pidfile
cert = /path/to/cert
key = /path/to/key
CAFile = /path/to/CAfile
CAPath = /path/to/CAdir
PSKsecrets = /path/to/PSKfile
sslVersionMin = TLSv1
sslVersionMax = TLSv1.2
[HkListenerSSL]
client = no
verifyChain = yes
verifyPeer = yes
accept = 0.0.0.0:9999
connect = localhost:25250
[HkListenerPSKO048]
client = no
accept = 0.0.0.0:9998
connect = localhost:25250
ciphers = PSK
CLIENT SET-UP FOR STUNNEL USING OPENSSL 1.1.1.c :
debug = debug
syslog = no
output = /path/to/logfile
log = append
pid = /path/to/pidfile
cert = /path/to/cert
key = /path/to/key
CAFile = /path/to/CAfile
CAPath = /path/to/CAdir
PSKsecrets = /path/to/PSKfile
sslVersionMin = TLSv1
sslVersionMax = TLSv1.2
[HkListenerSSL]
client = yes
verifyChain = yes
verifyPeer = yes
accept = localhost:4449
connect = dreps:9999
[HkListenerPSKO047]
client = yes
accept = localhost:4448
connect = dreps:9998
ciphers = PSK
PSKFile for server and client set-up:
HkListenerPSKO047:ZOOzMLROn5+Xy6PJ/lwnCgy5lq+Ak7OhOFS2s6vj4OU
HkListenerPSKO048:ZOOzMLROn5+Xy6PJ/lwnCgy5lq+Ak7OhOFS2s6vj4OU
It goes without saying that only one of the two server set-ups can be active during testing
Well, that is the end of my’small’ mail 😉
Kind regards,
Hannah Koperberg, de Volksbank in the Netherlands
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20190917/90e7a712/attachment-0001.htm>
More information about the stunnel-users
mailing list