View previous topic :: View next topic |
Author |
Message |
yem n00b
Joined: 05 Nov 2002 Posts: 63 Location: Aotearoa
|
Posted: Thu Jun 19, 2003 11:50 pm Post subject: Stunnel RSA blinding patch breaks client usage |
|
|
Hi all. The RSA blinding patch added to stunnel (https://forums.gentoo.org/viewtopic.php?t=43711) breaks client usage.
The patched stunnel now attempts to load a private key, apparently to test whether it is an RSA key. This is fine when stunnel is in server mode, but when in client mode (eg to access an SSL server from a client that doesn't support SSL) it breaks because stunnel is mostly used without a client certificate.
Simple usage such as
Results in
Code: | 2003.06.20 12:40:33 LOG7[5331:16384]: www.microsoft.com.443 started
2003.06.20 12:40:33 LOG7[5331:16384]: www.microsoft.com.443 connecting 207.46.134.155:443
2003.06.20 12:40:33 LOG7[5331:16384]: Remote FD=3 initialized
2003.06.20 12:40:33 LOG3[5331:16384]: Unable to get access to the SSL private key.
2003.06.20 12:40:33 LOG3[5331:16384]: SSL_get_privatekey: Peer suddenly disconnected
|
If you generate a client key/cert with
Code: | openssl req -new -x509 -days 9999 -nodes -config /etc/ssl/openssl.cnf \
-out /etc/ssl/certs/stunnel.pem -keyout /etc/ssl/certs/stunnel.pem |
Then run stunnel with
.. it works as expected.
Can we alter the blinding patch to only check for a key if in server mode (or a client cert has been specified for use)?
Is blinding even required in client mode? |
|
Back to top |
|
|
yem n00b
Joined: 05 Nov 2002 Posts: 63 Location: Aotearoa
|
Posted: Fri Jun 20, 2003 12:11 am Post subject: net-misc/stunnel/files/stunnel-3.22-blinding.patch |
|
|
Perhaps change
Code: | + } else {
+ log(LOG_ERR, "Unable to get access to the SSL private key.");
+ sslerror("SSL_get_privatekey");
+ exit(1);
+ } |
to
Code: | + } else if (ssl->type == SSL_ST_ACCEPT) {
+ log(LOG_ERR, "Unable to get access to the SSL private key.");
+ sslerror("SSL_get_privatekey");
+ exit(1);
+ } |
Thus stunnel will only error out if it cannot access the private key AND it is running as a server. This diff works for me.
The question is, do we need blinding on the client side? Perhaps checking for a client-side RSA key is a bad check method considering client certs are NOT compulsory. |
|
Back to top |
|
|
b1nd3n14l Tux's lil' helper
Joined: 06 Jun 2003 Posts: 80
|
Posted: Wed Oct 29, 2003 12:22 am Post subject: Same thing.... |
|
|
I get the same error when I just emerged from 4.02 to 4.04-r1....
I use stunnel to encrypt http traffic from one host to a proxy server.
is the only way to get around
Oct 28 18:49:13 gargoyle stunnel[32743]: Unable to get access to the SSL private key.
Oct 28 18:49:13 gargoyle stunnel[32743]: SSL_get_privatekey: Peer suddenly disconnected
is to create the client certs???
Also, if you run the stunnel as a different user other than root then
the new pid location of /var/run/stunnel.pid doesnt work...You must
keep it at /var/tmp/stunnel.pid ... _________________ Later...Gator...
First ever Gentoo Install: June 5th , 2003
Registered User #12078 at http://counter.li.org |
|
Back to top |
|
|
|