Hello
I am new to Stunnel and would like to know how to integrate the engine with Stunnel 4.15.
I am trying to integrate a Trusted Platform Module (TPM) engine which is compatible with OpenSSL to use with Stunnel so that the private key for SSL connection can be retrieved and stored in the hardware. I was able to configure the Stunnel config file to use the engine and it is loading the engine fine. The problem I am facing now is the key which stunnel tries to load can be loaded only by the engine, I mean it has to be loaded into the TPM to use it and stunnel tried to load it in the normal way. Please find the debug output bellow,
# ./stunnel stunnel-engine.conf 2006.04.19 13:39:22 LOG7[1261:3086812864]: Enabling support for engine 'tpm' DEBUG e_tpm_err.c:295 ERR_load_TPM_strings DEBUG e_tpm_err.c:298 TPM_lib_error_code is 136 2006.04.19 13:39:22 LOG7[1261:3086812864]: Initializing engine DEBUG e_tpm.c:336 tpm_engine_init LOG_DEBUG TSPI ../tcsd_api/clntside.c:58 Sending TSP packet to host localhost. LOG_DEBUG TSPI ../tcsd_api/clntside.c:74 Connecting to 127.0.0.1 LOG_DEBUG TSPI ../tcsd_api/tcstp.c:390 TCS_OpenContext_RPC_TP: Received TCS Context: 0xa0ef791d 2006.04.19 13:39:22 LOG7[1261:3086812864]: Engine initialized 2006.04.19 13:39:22 LOG7[1261:3086812864]: Engine closed 2006.04.19 13:39:22 LOG7[1261:3086812864]: Snagged 64 random bytes from /root/.rnd DEBUG e_tpm.c:1151 tpm_rand_bytes getting 1024 bytes LOG_DEBUG TSPI ../tcsd_api/tcstp.c:2488 TCSP_GetRandom_TP: TCS Context: 0xa0ef791d 2006.04.19 13:39:23 LOG7[1261:3086812864]: Wrote 1024 new random bytes to /root/.rnd DEBUG e_tpm.c:1171 tpm_rand_status 2006.04.19 13:39:23 LOG7[1261:3086812864]: RAND_status claims sufficient entropy for the PRNG 2006.04.19 13:39:23 LOG6[1261:3086812864]: PRNG seeded successfully DEBUG e_tpm.c:736 tpm_rsa_init 2006.04.19 13:39:23 LOG7[1261:3086812864]: Certificate: /root/dk/CVS/070406/applications/openssl_tpm_engine/TpmKey.crt 2006.04.19 13:39:23 LOG7[1261:3086812864]: Key file: /root/dk/CVS/070406/applications/openssl_tpm_engine/TpmKey.key 2006.04.19 13:39:23 LOG3[1261:3086812864]: error stack: 140B3009 : error:140B3009:SSL routines:SSL_CTX_use_RSAPrivateKey_file:PEM lib 2006.04.19 13:39:23 LOG3[1261:3086812864]: SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line
It is obvious from the debug that the Stunnel expect a private key file in PEM format but the whole issue is that the private key I have (created using TPM) is not in a PEM format, it is an encrypted file with root key used to encrypt stays inside the TPM hardware. I suppose we need to provide a key load function which loads the key into the TPM rather than using Stunnel.
It will be a great help if someone could provide me with some pointers on how to solve this, or please let me know if I am missing out something. Also do ask me if you need any further clarifications.
Many thanks,
Dinesh Kallath, CISSP Research Professional, Security Research Centre BT Group Chief Technology Office ___________________________
Tel : +44 (0) 1473 643476 Fax : +44 (0) 1473 646886 Mob: +44 (0) 7952144553
Email: dinesh.kallath@bt.com Post : PP:2A, B28, Adastral Park, Ipswich IP5 3RE.
British Telecommunications plc Registered office: 81 Newgate Street London EC1A 7AJ Registered in England no. 1800000 This electronic message contains information from British Telecommunications plc which may be privileged or confidential. The information is intended to be for the use of the individual(s) or entity named above. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited. If you have received this electronic message in error, please notify us by telephone or email (to the numbers or address above) immediately. Activity and use of the British Telecommunications plc email system is monitored to secure its effective operation and for other lawful business purposes. Communications using this system will also be monitored and may be recorded to secure effective operation and for other lawful business purposes.