>> Does stunnel support the use of the aNULL cipher suites? I can't
>> seem to make it work, stunnel just fails with a "no shared
>> ciphers" message. I don't think that the problem is with openssl
>> or the client, since when I test it with s_server the handshake
>> completes.
>>
>
>
>Review the default cipher list.
>
>Do...
>
>stunnel -version
>
>
>Then edit configuration file ciphers options to suit requirements.
I was trying to get stunnel working with anonymous ciphers (SSL_DH_anon_WITH_RC4_MD5_128, etc.) from a java based client and found that s_server succeeded while stunnel failed with the "no shared ciphers" message because it has routines to initialize a temporary DH key in the absence of a certificate. Here's a sloppy patch that just borrows those routines from the s_server source code. This is against an older version of stunnel (RHEL4u7 based system), but the latest version also fails without similar patching.
Cheers,
-brian
# cat /usr/src/redhat/SOURCES/stunnel-4.05-dhe.patch
--- stunnel-4.05/src/ssl.c.dhe 2004-01-25 14:26:03.000000000 -0500
+++ stunnel-4.05/src/ssl.c 2009-04-22 00:11:10.000000000 -0400
@@ -236,6 +236,32 @@
return -1; /* FAILED */
}
+static unsigned char dh512_p[]={
+ 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
+ 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
+ 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
+ 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
+ 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
+ 0x47,0x74,0xE8,0x33,
+};
+
+static unsigned char dh512_g[]={
+ 0x02,
+};
+
+static DH *get_dh512(void);
+
+static DH *get_dh512(void) {
+ DH *dh=NULL;
+
+ if ((dh=DH_new()) == NULL) return(NULL);
+ dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
+ dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
+ if ((dh->p == NULL) || (dh->g == NULL))
+ return(NULL);
+ return(dh);
+}
+
static int init_dh(void) {
#ifdef USE_DH
FILE *fp;
@@ -274,6 +300,12 @@
log(LOG_INFO, "Diffie-Hellman initialized with %d bit key",
8*DH_size(dh));
DH_free(dh);
+#else
+ DH *dh=NULL;
+ log(LOG_INFO,"Using default temp DH parameters\n");
+ dh=get_dh512();
+ SSL_CTX_set_tmp_dh(ctx,dh);
+ DH_free(dh);
#endif /* USE_DH */
return 0; /* OK */
}