Hi to all,
We recently ran in to a problem using stunnel on our AIX 5.2 machines. This is our situation:
we are running stunnel as a client to protect http (and a proprietary protocol) traffic between our company and a customer. We are using client-athentication to grant access to the server and on our client-side we validate the server-certificates. This all works fine.
Due to new security-restrictions, we are moving all our private-key material into HSM-boxes, in our case these are nCipher nShield HSM's. According to the documantion on there website ( http://active.ncipher.com ) we builded openssl nCipher-enabled. Based on this openssl-version, we builded stunnel. All the build-options are shown below in this message. The compiler used is the IBM C compiler.
According to the manuals from stunnel we needed to put in an extra line to the config-file which shows "engine = chil" (chil is the Cryptographic Hardware Interface Library, the way the nCipher HSM's are known to openssl)
After all this, we created key's in the hsm, using the nCipher tools and loaded them into stunnel (using this method you get a "pseudo-pem-file", which is actually a reference to the hardware-key). Fire-up stunnel using the commands from nCipher to preload the key's and we are all good to go!
When this all seems to work very stable after a few months, with thousands of connections and ditto megabytes transfered, we wanted to have all the logging to our syslogserver (it runs syslog-ng) and this is the place where my problem hits in: When commenting-out the option "output = /home/bart/stl/var/stunnel.log" and restarting stunnel, stunnel dies after the first or second connection, leaving no logging, corefiles or whatever behind.
Using plain key's (so no HSM, but with the same build which is aware of the HSM), syslog is no problem. Using HSM-key's with plaintext logfiles (no syslog) works also excellent.
As i don't have any ideas anymore where to search, i want to ask you if somebody ever have seen this behaviour or knows where it could be caused by. (And maybe how to solve it....)
Thanks in advance!
Best regards,
Bart Somers.
############################# # Build- and config-options # #############################
bart@server1:./stunnel -version stunnel 4.11 on powerpc-ibm-aix5.2.0.0 UCONTEXT+POLL+IPv4 with OpenSSL 0.9.8 05 Jul 2005
Global options cert = home/bart/stl/etc/stunnel/stunnel.pem ciphers = ALL:!ADH:+RC4:@STRENGTH debug = 5 key = /home/bart/stl/etc/stunnel/stunnel.pem pid = /home/bart/stl/var/run/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes session = 300 seconds verify = none
Service-level options TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds
bart@server1:./openssl version OpenSSL 0.9.8 05 Jul 2005
compile-options: Openssl:
$ export LDFLAGS="-L/opt/nfast/toolkits/hwcrhk" $ ./config --prefix=/home/bart/stl –DNFast –ldl make and make install
Stunnel:
$ export CPPFLAGS="-I/home/bart/stl/include" $ export LDFLAGS="-L/opt/nfast/toolkits/hwcrhk" $ ./configure –-prefix=/home/bart/stl –-with-ssl=/home/bart/stl -–disable-libwrap make and make install
Config-file: Include engine = chil
Start-up: $ with-nfast –f /home/bart/stl/tmp/ff /home/bart/stl/sbin/stunnel /home/bart/stl/etc/stunnel/stunnel.conf
Relevant information from the config-file:
engine = chil cert = /home/bart/stl/etc/stunnel/my-key.pem key = /home/bart/stl/etc/stunnel/my-key-hsm.pem ;(no chroot options used) pid = /prj/stl_004/tmp/test/stunnel-client.pid debug = 7 ; output = /home/bart/stl/var/stunnel.log # when in comment, problems! client = yes
[test] accept = 9400 connect = 10.10.10.10:443
All other values are the default from the example.