Does stunnel support the use of the aNULL cipher suites? I can't seem to make it work, stunnel just fails with a "no shared ciphers" message. I don't think that the problem is with openssl or the client, since when I test it with s_server the handshake completes.
Review the default cipher list.
Do...
stunnel -version
Then edit configuration file ciphers options to suit requirements.
I was trying to get stunnel working with anonymous ciphers (SSL_DH_anon_WITH_RC4_MD5_128, etc.) from a java based client and found that s_server succeeded while stunnel failed with the "no shared ciphers" message because it has routines to initialize a temporary DH key in the absence of a certificate. Here's a sloppy patch that just borrows those routines from the s_server source code. This is against an older version of stunnel (RHEL4u7 based system), but the latest version also fails without similar patching.
Cheers, -brian
# cat /usr/src/redhat/SOURCES/stunnel-4.05-dhe.patch --- stunnel-4.05/src/ssl.c.dhe 2004-01-25 14:26:03.000000000 -0500 +++ stunnel-4.05/src/ssl.c 2009-04-22 00:11:10.000000000 -0400 @@ -236,6 +236,32 @@ return -1; /* FAILED */ }
+static unsigned char dh512_p[]={ + 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, + 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, + 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, + 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, + 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, + 0x47,0x74,0xE8,0x33, +}; + +static unsigned char dh512_g[]={ + 0x02, +}; + +static DH *get_dh512(void); + +static DH *get_dh512(void) { + DH *dh=NULL; + + if ((dh=DH_new()) == NULL) return(NULL); + dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); + dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); + if ((dh->p == NULL) || (dh->g == NULL)) + return(NULL); + return(dh); +} + static int init_dh(void) { #ifdef USE_DH FILE *fp; @@ -274,6 +300,12 @@ log(LOG_INFO, "Diffie-Hellman initialized with %d bit key", 8*DH_size(dh)); DH_free(dh); +#else + DH *dh=NULL; + log(LOG_INFO,"Using default temp DH parameters\n"); + dh=get_dh512(); + SSL_CTX_set_tmp_dh(ctx,dh); + DH_free(dh); #endif /* USE_DH */ return 0; /* OK */ }