Hi there,

 

we just upgraded a system that is used as a TLS-proxy for incoming connections using client-ssl-handshake from an old CentOS 6 to a recent Ubuntu LTS.

By doing so, the OpenSSL was updated from 1.0.1e to  1.1.1f.

 

Right after installation, the new OpenSSL complained about „too weak ca cypher“, so I had to add a line „CipherString = DEFAULT:@SECLEVEL=1“ to the openssl.conf to make things work again.

After applying the changes, connections via browsers do work again using TLS 1.3.

(We will generate a new host-CA some day, but for now we need a running system)

 

Before the upgrade, Stunnel in CAPI-mode worked wih TLS 1.2 encryption. Now after updating the server, it refused to connect at all.

 

Using version 5.56 of Stunnel, I see the following lines in the log:

 

error queue: ssl/statem/statem_lib.c:298: error:141F0006:SSL routines:tls_construct_cert_verify:EVP lib

SSL_connect: engines/e_capi.c:814: error:8006F074:lib(128):capi_rsa_priv_enc:function not supported

 

If I nail the protocol setting to TLS1.1 in the apache2-config, the connection is possible again with version 5.56.

 

Any later versions of Stunnel completely refuse to work, I always get lines like:

 

SSL_read: ssl/ssl_rsa.c:36: error:140C618E:SSL routines:SSL_use_certificate:ca md too weak

 

I tried several things I found in the net regarding tweaking openssl.conf and/or stunnel.conf, but I can’t get it running with version 5.57 or later.

 

So my questions is: What can I do to get Stunnel working again with at least TLS1.2 (or even better TLS1.3 like I get in most browsers)?

Re-generating the host-CA (and thus needing to re-create all client certs) is unfortunately no option for the moment.

 

Many thanks in advance!

 

Cheers,

Christian Keck