Hi to all,<br>
<br>
We recently ran in to a problem using stunnel on our AIX 5.2 machines.<br>
This is our situation:<br>
<br>
we are running stunnel as a client to protect http (and a proprietary<br>
protocol) traffic between our company and a customer. We are using<br>
client-athentication to grant access to the server and on our client-side<br>
we validate the server-certificates.<br>
This all works fine.<br>
<br>
Due to new security-restrictions, we are moving all our private-key<br>
material into HSM-boxes, in our case these are nCipher nShield HSM's.<br>
According to the documantion on there website ( <a href="http://active.ncipher.com">http://active.ncipher.com</a> )<br>
we builded openssl nCipher-enabled. Based on this openssl-version, we<br>
builded stunnel. All the build-options are shown below in this message. The<br>
compiler used is the IBM C compiler.<br>
<br>
According to the manuals from stunnel we needed to put in an extra line to<br>
the config-file which shows "engine = chil" (chil is the Cryptographic<br>
Hardware Interface Library, the way the nCipher HSM's are known to openssl)<br>
<br>
After all this, we created key's in the hsm, using the nCipher tools and<br>
loaded them into stunnel (using this method you get a "pseudo-pem-file",<br>
which is actually a reference to the hardware-key). Fire-up stunnel using<br>
the commands from nCipher to preload the key's and we are all good to go!<br>
<br>
When this all seems to work very stable after a few months, with thousands<br>
of connections and ditto megabytes transfered, we wanted to have all the<br>
logging to our syslogserver (it runs syslog-ng) and this is the place where<br>
my problem hits in: When commenting-out the option "output =<br>
/home/bart/stl/var/stunnel.log" and restarting stunnel, stunnel dies after<br>the first or second connection, leaving no logging, corefiles or whatever<br>behind.<br><br>Using plain key's (so no HSM, but with the same build which is aware of the
<br>HSM), syslog is no problem. Using HSM-key's with plaintext logfiles (no<br>syslog) works also excellent.<br><br>As i don't have any ideas anymore where to search, i want to ask you if<br>somebody ever have seen this behaviour or knows where it could be caused
<br>by. (And maybe how to solve it....)<br><br>Thanks in advance!<br><br>Best regards,<br><br>Bart Somers.<br><br><br><br>#############################<br>#
Build- and
config-options
#<br>#############################<br><br>bart@server1:./stunnel -version<br>stunnel 4.11 on powerpc-ibm-aix5.2.0.0 UCONTEXT+POLL+IPv4 with OpenSSL<br>0.9.8 05 Jul 2005<br><br>Global options<br>cert = home/bart/stl/etc/stunnel/stunnel.pem
<br>ciphers = ALL:!ADH:+RC4:@STRENGTH<br>debug = 5<br>key = /home/bart/stl/etc/stunnel/stunnel.pem<br>pid = /home/bart/stl/var/run/stunnel.pid<br>RNDbytes = 64<br>RNDfile = /dev/urandom
<br>RNDoverwrite = yes<br>session = 300 seconds<br>verify = none<br><br>Service-level options<br>TIMEOUTbusy = 300 seconds<br>TIMEOUTclose = 60 seconds<br>TIMEOUTconnect = 10 seconds<br>TIMEOUTidle = 43200 seconds
<br><br><br>bart@server1:./openssl version<br>OpenSSL 0.9.8 05 Jul 2005<br><br>compile-options:<br>Openssl:<br><br> $ export LDFLAGS="-L/opt/nfast/toolkits/hwcrhk"<br> $ ./config --prefix=/home/bart/stl �DNFast �ldl
<br>make and make install<br><br><br>Stunnel:<br><br> $ export CPPFLAGS="-I/home/bart/stl/include"<br> $ export LDFLAGS="-L/opt/nfast/toolkits/hwcrhk"<br> $ ./configure �-prefix=/home/bart/stl �-with-ssl=/home/bart/stl
<br> -�disable-libwrap<br>make and make install<br><br><br>Config-file:<br>Include<br>engine = chil<br><br>Start-up:<br>$ with-nfast �f /home/bart/stl/tmp/ff /home/bart/stl/sbin/stunnel<br>/home/bart/stl/etc/stunnel/stunnel.conf
<br><br><br>Relevant information from the config-file:<br><br>engine = chil<br>cert = /home/bart/stl/etc/stunnel/my-key.pem<br>key = /home/bart/stl/etc/stunnel/my-key-hsm.pem<br>;(no chroot options used)<br>pid = /prj/stl_004/tmp/test/stunnel-
client.pid<br>debug = 7<br>; output = /home/bart/stl/var/stunnel.log # when in comment, problems!<br>client = yes<br><br>[test]<br>accept = 9400<br>connect = <a href="http://10.10.10.10:443">10.10.10.10:443</a><br><br>
All other values are the default from the example.<br><br><br>