Dear Friends,
I
have a board which have hardware support for some cryptographic ciphers
(des-ede3-cbc & aes-128-ecb) and also some digest functions (sha1 & md5). Having written an openssl engine for
it, I can use openssl with this HW support, but not when I use it via stunnel.
After compiling openssl with my engine support (its name is Sina) and compiling stunnel and configuring it to use that version of openssl and to use that engine, stunnel don't use my ciphers, though, it use my digest functions. I've found it through outputs of my engine's code.
-----------------------------------------------------------
I have configured the Stunnel in this way:
./configure
--host=ppc --with-ssl=/to/my/openssl --prefix=/usr/local/stunnel/dep
--exec-prefix=/usr/local/stunnel/indep --enable-static
--disable-libwrap
-----------------------------------------------------------
I've added these lines to stunnel.conf:
engine = sina #my engine name is sina
ciphers = des-ede3-cbc:aes-128-ecb
-----------------------------------------------------------
And some parts of my engine source code:
static const EVP_CIPHER cipher_3des_cbc =
{
NID_des_ede3_cbc,
8, 24, 8,
EVP_CIPH_CBC_MODE,
cipher_init,
cipher_code,
cipher_clean,
sizeof(CIPHER_DATA),
EVP_CIPHER_set_asn1_iv,
EVP_CIPHER_get_asn1_iv,
NULL,
NULL,
};
static const EVP_CIPHER cipher_aes_ecb =
{
NID_aes_128_ecb,
16, 16, 0,
EVP_CIPH_ECB_MODE,
cipher_init,
cipher_code,
cipher_clean,
sizeof(CIPHER_DATA),
EVP_CIPHER_set_asn1_iv,
EVP_CIPHER_get_asn1_iv,
NULL,
NULL
};
-----------------------------------------------------------
After running stunnel:
# /usr/local/stunnel/dep/sbin/stunnel
--> ENGINE_load_builtin_engines 64
sina--> ENGINE_load_sina 205
sina--> engine_sina 188
sina--> bind_sina 150
1970.01.01 00:38:22 LOG7[148:1024]: Enabling support for engine 'sina'
1970.01.01 00:38:22 LOG7[148:1024]: Initializing engine
sina--> sina_init 220
sina--> sina_ciphers 255
sina--> sina_digests 287
1970.01.01 00:38:22 LOG7[148:1024]: Engine initialized
1970.01.01 00:38:22 LOG7[148:1024]: Engine closed
sina--> sina_digests 287
sina--> digest_init 461
sina--> digest_update 475
sina--> digest_update 475
sina--> digest_update 475
sina--> digest_update 475
sina--> digest_final 493
sina--> do_digest 431
sina--> digest_init 461
sina--> digest_update 475
sina--> digest_update 475
sina--> digest_update 475
sina--> digest_update 475
sina--> digest_final 493
sina--> do_digest 431
sina--> sina_digests 287
sina--> digest_init 461
sina--> digest_update 475
sina--> digest_update 475
sina--> digest_update 475
sina--> digest_update 475
sina--> digest_final 493
sina--> do_digest 431
sina--> sina_digests 287
sina--> digest_init 461
sina--> digest_update 475
sina--> digest_update 475
sina--> digest_update 475
sina--> digest_update 475
sina--> digest_final 493
sina--> do_digest 431
sina--> sina_digests 287
sina--> digest_init 461
sina--> digest_update 475
sina--> digest_update 475
sina--> digest_update 475
sina--> digest_update 475
sina--> digest_final 493
sina--> do_digest 431
1970.01.01 00:38:22 LOG7[148:1024]: RAND_status claims sufficient entropy for the PRNG
1970.01.01 00:38:22 LOG6[148:1024]: PRNG seeded successfully
1970.01.01 00:38:22 LOG7[148:1024]: Certificate: /usr/local/stunnel/dep/etc/stunnel/stunnel.pem
1970.01.01 00:38:22 LOG7[148:1024]: Key file: /usr/local/stunnel/dep/etc/stunnel/stunnel.pem
1970.01.01
00:38:22 LOG3[148:1024]: SSL_CTX_set_cipher_list: 1410D0B9:
error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
######################################
#these "sina->.*" lines are my engine's output.#
######################################
Regards,
Hamed Janzadeh