<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<META NAME="Generator" CONTENT="MS Exchange Server version 6.0.6617.47">
<TITLE>Stunnel with TPM engine !!!</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->
<P><FONT SIZE=2 FACE="Arial">Hello </FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">I am new to Stunnel and would like to know how to integrate the engine with Stunnel 4.15.</FONT>
</P>
<P><FONT SIZE=2 FACE="Arial">I am trying to integrate a Trusted Platform Module (TPM) engine which is compatible with OpenSSL to use with Stunnel so that the private key for SSL connection can be retrieved and stored in the hardware. I was able to configure the Stunnel config file to use the engine and it is loading the engine fine. The problem I am facing now is the key which stunnel tries to load can be loaded only by the engine, I mean it has to be loaded into the TPM to use it and stunnel tried to load it in the normal way. Please find the debug output bellow,</FONT></P>
<P><FONT SIZE=2 FACE="Arial"># ./stunnel stunnel-engine.conf</FONT>
<BR><FONT SIZE=2 FACE="Arial">2006.04.19 13:39:22 LOG7[1261:3086812864]: Enabling support for engine 'tpm'</FONT>
<BR><FONT SIZE=2 FACE="Arial">DEBUG e_tpm_err.c:295 ERR_load_TPM_strings</FONT>
<BR><FONT SIZE=2 FACE="Arial">DEBUG e_tpm_err.c:298 TPM_lib_error_code is 136</FONT>
<BR><FONT SIZE=2 FACE="Arial">2006.04.19 13:39:22 LOG7[1261:3086812864]: Initializing engine</FONT>
<BR><FONT SIZE=2 FACE="Arial">DEBUG e_tpm.c:336 tpm_engine_init</FONT>
<BR><FONT SIZE=2 FACE="Arial">LOG_DEBUG TSPI ../tcsd_api/clntside.c:58 Sending TSP packet to host localhost.</FONT>
<BR><FONT SIZE=2 FACE="Arial">LOG_DEBUG TSPI ../tcsd_api/clntside.c:74 Connecting to 127.0.0.1</FONT>
<BR><FONT SIZE=2 FACE="Arial">LOG_DEBUG TSPI ../tcsd_api/tcstp.c:390 TCS_OpenContext_RPC_TP: Received TCS Context: 0xa0ef791d</FONT>
<BR><FONT SIZE=2 FACE="Arial">2006.04.19 13:39:22 LOG7[1261:3086812864]: Engine initialized</FONT>
<BR><FONT SIZE=2 FACE="Arial">2006.04.19 13:39:22 LOG7[1261:3086812864]: Engine closed</FONT>
<BR><FONT SIZE=2 FACE="Arial">2006.04.19 13:39:22 LOG7[1261:3086812864]: Snagged 64 random bytes from /root/.rnd</FONT>
<BR><FONT SIZE=2 FACE="Arial">DEBUG e_tpm.c:1151 tpm_rand_bytes getting 1024 bytes</FONT>
<BR><FONT SIZE=2 FACE="Arial">LOG_DEBUG TSPI ../tcsd_api/tcstp.c:2488 TCSP_GetRandom_TP: TCS Context: 0xa0ef791d</FONT>
<BR><FONT SIZE=2 FACE="Arial">2006.04.19 13:39:23 LOG7[1261:3086812864]: Wrote 1024 new random bytes to /root/.rnd</FONT>
<BR><FONT SIZE=2 FACE="Arial">DEBUG e_tpm.c:1171 tpm_rand_status</FONT>
<BR><FONT SIZE=2 FACE="Arial">2006.04.19 13:39:23 LOG7[1261:3086812864]: RAND_status claims sufficient entropy for the PRNG</FONT>
<BR><FONT SIZE=2 FACE="Arial">2006.04.19 13:39:23 LOG6[1261:3086812864]: PRNG seeded successfully</FONT>
<BR><FONT SIZE=2 FACE="Arial">DEBUG e_tpm.c:736 tpm_rsa_init</FONT>
<BR><FONT SIZE=2 FACE="Arial">2006.04.19 13:39:23 LOG7[1261:3086812864]: Certificate: /root/dk/CVS/070406/applications/openssl_tpm_engine/TpmKey.crt</FONT>
<BR><FONT SIZE=2 FACE="Arial">2006.04.19 13:39:23 LOG7[1261:3086812864]: Key file: /root/dk/CVS/070406/applications/openssl_tpm_engine/TpmKey.key</FONT>
<BR><FONT SIZE=2 FACE="Arial">2006.04.19 13:39:23 LOG3[1261:3086812864]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_<A HREF="file:PEM">file:PEM</A> lib</FONT></P>
<P><FONT SIZE=2 FACE="Arial">2006.04.19 13:39:23 LOG3[1261:3086812864]: SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line</FONT></P>
<P><FONT SIZE=2 FACE="Arial">It is obvious from the debug that the Stunnel expect a private key file in PEM format but the whole issue is that the private key I have (created using TPM) is not in a PEM format, it is an encrypted file with root key used to encrypt stays inside the TPM hardware. I suppose we need to provide a key load function which loads the key into the TPM rather than using Stunnel.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">It will be a great help if someone could provide me with some pointers on how to solve this, or please let me know if I am missing out something. Also do ask me if you need any further clarifications.</FONT></P>
<P><FONT SIZE=2 FACE="Arial">Many thanks,</FONT>
</P>
<P><B><FONT COLOR="#808080" SIZE=2 FACE="Arial">Dinesh Kallath, CISSP</FONT></B>
<BR><FONT SIZE=2 FACE="Arial">Research Professional, </FONT>
<BR><FONT SIZE=2 FACE="Arial">Security Research Centre</FONT>
<BR><FONT SIZE=2 FACE="Arial">BT Group Chief Technology Office</FONT>
<BR><SPAN LANG="fr"><FONT SIZE=2 FACE="Arial">___________________________</FONT></SPAN><SPAN LANG="en-gb"></SPAN><SPAN LANG="en-gb"></SPAN>
</P>
<P><SPAN LANG="fr"><FONT SIZE=2 FACE="Arial">Tel : ჸ (0) 1473 643476</FONT></SPAN><SPAN LANG="en-gb"></SPAN><SPAN LANG="en-gb"></SPAN>
<BR><SPAN LANG="fr"><FONT SIZE=2 FACE="Arial">Fax :� ჸ (0) 1473 646886</FONT></SPAN><SPAN LANG="en-gb"></SPAN><SPAN LANG="en-gb"></SPAN>
<BR><SPAN LANG="fr"><FONT SIZE=2 FACE="Arial">Mob: ჸ�(0) 7952144553<BR>
</FONT></SPAN><SPAN LANG="en-gb"></SPAN>
<BR><SPAN LANG="en-gb"><FONT SIZE=2 FACE="Arial">Email:�</FONT></SPAN><A HREF="mailto:dinesh.kallath@bt.com"><SPAN LANG="en-gb"><U><FONT COLOR="#0000FF" SIZE=2 FACE="Arial">dinesh.kallath@bt.com</FONT></U></SPAN></A><SPAN LANG="en-gb"></SPAN>
<BR><SPAN LANG="fr"><FONT SIZE=2 FACE="Arial">Post : PP:2A, B28, Adastral Park, Ipswich IP5 3RE.</FONT></SPAN><SPAN LANG="en-gb"></SPAN><SPAN LANG="en-gb"></SPAN>
</P>
<P><SPAN LANG="en-gb"><FONT COLOR="#808080" SIZE=1 FACE="Arial">British Telecommunications plc<BR>
Registered office: 81 Newgate Street London EC1A 7AJ<BR>
Registered in England no. 1800000 </FONT></SPAN>
<BR><SPAN LANG="en-gb"><FONT COLOR="#808080" SIZE=1 FACE="Arial">This electronic message contains information from British Telecommunications plc which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email (to the numbers or address above) immediately.</FONT></SPAN></P>
<P><SPAN LANG="en-gb"><FONT COLOR="#808080" SIZE=1 FACE="Arial">Activity and use of the British Telecommunications plc email system is monitored to secure its effective operation and for other lawful business purposes. Communications using this system will also be monitored and may be recorded to secure effective operation and for other lawful business purposes.</FONT></SPAN></P>
</BODY>
</HTML>