Hello all:
I'm running Stunnel 4.52 under WinXP SP3.
Last night I had some questions about how the cipher list in Stunnel
interacts with the
cipher negotiation routine between client and server, so I did some
experiments in an
attempt to address those questions.
In the course of doing so, I noticed that, if I attempt to load certain
ciphers, Stunnel
would stall at configuration load.
Using OpenSSL to list TLS ciphers with 4.52's libraries yields the
following:
~~~~~~~~~~~~~~~~~~~~~
C:\Program Files\stunnel>openssl ciphers -v -tls1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1
export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1
export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1
export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5
export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5
export
C:\Program Files\stunnel>
~~~~~~~~~~~~~~~~~~~~~
As such, ciphers RC4-SHA and RC4-MD5 appear to be valid. However, any
attempt at using those
in client mode causes Stunnel to stall when reading the cipher from
stunnel.conf:
~~~~~~~~~~~~~~~~~~~~~
2012.03.08 20:17:10 LOG5[432:592]: Reading configuration from file
stunnel.conf
2012.03.08 20:17:10 LOG5[432:592]: FIPS mode is enabled
2012.03.08 20:17:10 LOG7[432:592]: Compression not enabled
2012.03.08 20:17:10 LOG7[432:592]: Snagged 64 random bytes from C:/.rnd
2012.03.08 20:17:10 LOG7[432:592]: Wrote 1024 new random bytes to C:/.rnd
2012.03.08 20:17:10 LOG7[432:592]: PRNG seeded successfully
2012.03.08 20:17:10 LOG6[432:592]: Initializing SSL context for service
nntps.1
2012.03.08 20:17:10 LOG7[432:592]: Loaded verify certificates from
peer-nntps.1.pem
2012.03.08 20:17:10 LOG7[432:592]: Loaded peer-nntps.1.pem revocation
lookup file
2012.03.08 20:17:10 LOG7[432:592]: SSL options set: 0x00000004
2012.03.08 20:17:10 LOG6[432:592]: SSL context initialized
2012.03.08 20:17:10 LOG6[432:592]: Initializing SSL context for service
nntps.2
2012.03.08 20:17:10 LOG7[432:592]: Loaded verify certificates from
peer-nntps.2.pem
2012.03.08 20:17:10 LOG7[432:592]: Loaded peer-nntps.2.pem revocation
lookup file
2012.03.08 20:17:10 LOG3[432:592]: SSL_CTX_set_cipher_list: 1410D0B9:
error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
2012.03.08 20:17:10 LOG3[432:592]: Failed to reload the configuration file
2012.03.08 20:17:10 LOG7[432:592]: Signal pipe is empty
~~~~~~~~~~~~~~~~~~~~
This is the relevant snippet from my stunnel.conf file:
~~~~~~~~~~~~~~~~~~~~
debug = 7
delay = yes
output = stunnel.log
[nntps.1]
client = yes
sslVersion = TLSv1
ciphers = DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA
cafile = peer-nntps.1.pem
verify = 4
accept = 127.0.1.1:119
connect = news.server.com:443
[nntps.2]
client = yes
sslVersion = TLSv1
ciphers = RC4-SHA
cafile = peer-nntps.2.pem
verify = 4
accept = 127.0.1.2:119
connect = news.server.org:563
~~~~~~~~~~~~~~~~~~~~
Any attempt at using ciphers RC4-SHA or RC4-MD5. with or without TLS
specified, results in
the same configuration crash.
I don't really need to use those ciphers, but since I observed this
behavior, I thought I'd better
report it.
Any comments welcome.
Regards;
Thomas
.
--
Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately.