Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Stunnel RSA blinding patch breaks client usage
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
yem
n00b
n00b


Joined: 05 Nov 2002
Posts: 63
Location: Aotearoa

PostPosted: Thu Jun 19, 2003 11:50 pm    Post subject: Stunnel RSA blinding patch breaks client usage Reply with quote

Hi all. The RSA blinding patch added to stunnel (https://forums.gentoo.org/viewtopic.php?t=43711) breaks client usage.

The patched stunnel now attempts to load a private key, apparently to test whether it is an RSA key. This is fine when stunnel is in server mode, but when in client mode (eg to access an SSL server from a client that doesn't support SSL) it breaks because stunnel is mostly used without a client certificate.

Simple usage such as
Code:
stunnel -f -c -D debug -P none -r www.microsoft.com:443

Results in
Code:
2003.06.20 12:40:33 LOG7[5331:16384]: www.microsoft.com.443 started
2003.06.20 12:40:33 LOG7[5331:16384]: www.microsoft.com.443 connecting 207.46.134.155:443
2003.06.20 12:40:33 LOG7[5331:16384]: Remote FD=3 initialized
2003.06.20 12:40:33 LOG3[5331:16384]: Unable to get access to the SSL private key.
2003.06.20 12:40:33 LOG3[5331:16384]: SSL_get_privatekey: Peer suddenly disconnected


If you generate a client key/cert with
Code:
openssl req -new -x509 -days 9999 -nodes -config /etc/ssl/openssl.cnf \
    -out /etc/ssl/certs/stunnel.pem -keyout /etc/ssl/certs/stunnel.pem

Then run stunnel with
Code:
stunnel -f -c -D debug -P none -r www.microsoft.com:443 -p /etc/ssl/certs/stunnel.pem

.. it works as expected.

Can we alter the blinding patch to only check for a key if in server mode (or a client cert has been specified for use)?
Is blinding even required in client mode?
Back to top
View user's profile Send private message
yem
n00b
n00b


Joined: 05 Nov 2002
Posts: 63
Location: Aotearoa

PostPosted: Fri Jun 20, 2003 12:11 am    Post subject: net-misc/stunnel/files/stunnel-3.22-blinding.patch Reply with quote

Perhaps change
Code:
+     } else {
+       log(LOG_ERR, "Unable to get access to the SSL private key.");
+       sslerror("SSL_get_privatekey");
+       exit(1);
+     }

to
Code:
+     } else if (ssl->type == SSL_ST_ACCEPT) {
+       log(LOG_ERR, "Unable to get access to the SSL private key.");
+       sslerror("SSL_get_privatekey");
+       exit(1);
+     }


Thus stunnel will only error out if it cannot access the private key AND it is running as a server. This diff works for me.

The question is, do we need blinding on the client side? Perhaps checking for a client-side RSA key is a bad check method considering client certs are NOT compulsory.
Back to top
View user's profile Send private message
b1nd3n14l
Tux's lil' helper
Tux's lil' helper


Joined: 06 Jun 2003
Posts: 80

PostPosted: Wed Oct 29, 2003 12:22 am    Post subject: Same thing.... Reply with quote

I get the same error when I just emerged from 4.02 to 4.04-r1....

I use stunnel to encrypt http traffic from one host to a proxy server.

is the only way to get around
Oct 28 18:49:13 gargoyle stunnel[32743]: Unable to get access to the SSL private key.
Oct 28 18:49:13 gargoyle stunnel[32743]: SSL_get_privatekey: Peer suddenly disconnected
is to create the client certs???

Also, if you run the stunnel as a different user other than root then
the new pid location of /var/run/stunnel.pid doesnt work...You must
keep it at /var/tmp/stunnel.pid ...
_________________
Later...Gator...

First ever Gentoo Install: June 5th , 2003
Registered User #12078 at http://counter.li.org
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum