Hi Märt,
Thank you very much.
Isn't it better to fix broken engine library that uses user callback data, instead of applying a crude workaround to stunnel? This library is clearly abusing the OpenSSL API.
Mike
On Sunday, 29 of January 2012, Märt Laak wrote:
Dear stunnel users,
As there is no development/patches related this issue I made Wiki page describing the problem and offering temporary solution/pathes: http://martlaak.wikispaces.com/Stunnel+and+engine_pkcs11 PS! You can also download patched windows build from that page.
With best regards, Märt Laak
On Sun, Oct 3, 2010 at 10:49 AM, Märt Laak martlaak@gmail.com wrote:
Dear stunnel managers,
I would like to inform you that there exist some incompatibility with stunnel and openssl pkcs11-engine with external PIN entry device (like RSA smartcard using opensc) in Linux.
We use this config to load openssl engine stunnel.conf:
engine=dynamic engineCtrl=SO_PATH:/usr/lib/**engines/engine_pkcs11.so engineCtrl=ID:pkcs11 engineCtrl=LIST_ADD:1 engineCtrl=LOAD engineCtrl=MODULE_PATH:/usr/**lib/opensc-pkcs11.so engineCtrl=INIT
Problem is, with this setup stunnel does not allow user to enter PIN for the secret key. Instead it tries to get secret key without PIN, 3 times (and then therefore usually blocks card PIN) and retires:
Initializing engine 1 Engine 1 initialized PRNG seeded successfully Certificate: mart.pem Certificate loaded Key file: id_01 error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_ **key:failed loading private key error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect Wrong PIN: retrying error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_ **key:failed loading private key error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect Wrong PIN: retrying error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_ **key:failed loading private key ENGINE_load_private_key: 800050A0: error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect
I discovered workaround that is valid form version 4.26 till current 4.34, as follows, NULL-ing the ui_data.method property in ctx.c:
diff -cr stunnel-4.34/src/ctx.c stunnel-4.34-patched/src/ctx.c *** stunnel-4.34/src/ctx.c 2010-09-14 18:08:43.000000000 +0300 --- stunnel-4.34-patched/src/ctx.c 2010-09-28 21:56:36.219081931 +0300
*** 304,309 **** --- 304,310 ----
UI_method_set_reader(ui_**method, pin_cb);#else /* USE_WIN32 */
ui_method=UI_OpenSSL();
ui_data.section = NULL;#endif /* USE_WIN32 */
if(section->engine) for(i=1; i<=3; i++) {
After that patch private key loads correctly:
Initializing engine 1 Engine 1 initialized PRNG seeded successfully Certificate: mart.pem Certificate loaded Key file: id_01 private key loaded
It would be nice if:
- somebody investigates more precisely why the OpenSSL PIN entry is not
showing with unpached stunnel
- include my or better patch for this situation
Thank you very much for excellent piece of software!
With best regards, Märt Laak