Update:
I uninstalled version 4.52, then reinstalled version 4.47. RC4-SHA cipher now works correctly, with the same stunnel.conf.
~~~~~~~~~~~~~~~~~~~~~~
2012.03.08 23:36:50 LOG5[420:580]: stunnel 4.47 on x86-pc-mingw32-gnu platform 2012.03.08 23:36:50 LOG5[420:580]: Compiled/running with OpenSSL 1.0.0e 6 Sep 2011 2012.03.08 23:36:50 LOG5[420:580]: Threading:WIN32 SSL:ENGINE Auth:none Sockets:SELECT,IPv6 2012.03.08 23:36:50 LOG5[420:580]: Reading configuration from file stunnel.conf 2012.03.08 23:36:50 LOG6[420:580]: Initializing SSL context for service nntps.1 2012.03.08 23:36:50 LOG6[420:580]: SSL context initialized 2012.03.08 23:36:50 LOG6[420:580]: Initializing SSL context for service nntps.2 2012.03.08 23:36:50 LOG6[420:580]: SSL context initialized 2012.03.08 23:36:50 LOG5[420:580]: Configuration successful 2012.03.08 23:37:08 LOG5[420:2804]: Service nntps.2 accepted connection from 127.0.1.2:1033 2012.03.08 23:37:08 LOG6[420:2804]: connect_blocking: connecting 88.198.244.100:563 2012.03.08 23:37:09 LOG5[420:2804]: connect_blocking: connected 88.198.244.100:563 2012.03.08 23:37:09 LOG5[420:2804]: Service nntps.2 connected remote server from 173.89.4.172:1034 2012.03.08 23:37:09 LOG5[420:2804]: Certificate accepted: depth=2, /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority 2012.03.08 23:37:09 LOG5[420:2804]: Certificate accepted: depth=1, /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA 2012.03.08 23:37:09 LOG6[420:2804]: CERT: Locally installed certificate matched 2012.03.08 23:37:09 LOG5[420:2804]: Certificate accepted: depth=0, /description=436134-bRSt8Rml1Sum890r/CN=news.eternal-september.org/emailAddress=wolfgang@weyand-hg.de 2012.03.08 23:37:09 LOG6[420:2804]: SSL connected: new session negotiated 2012.03.08 23:37:09 LOG6[420:2804]: Negotiated ciphers: RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 2012.03.08 23:37:20 LOG6[420:2804]: SSL_shutdown successfully sent close_notify 2012.03.08 23:37:20 LOG5[420:2804]: Connection closed: 1251 bytes sent to SSL, 1861 bytes sent to socket
Regards;
Thomas
On 3/8/2012 8:44 PM, Thomas Eifert wrote:
Hello all:
I'm running Stunnel 4.52 under WinXP SP3.
Last night I had some questions about how the cipher list in Stunnel interacts with the cipher negotiation routine between client and server, so I did some experiments in an attempt to address those questions.
In the course of doing so, I noticed that, if I attempt to load certain ciphers, Stunnel would stall at configuration load.
Using OpenSSL to list TLS ciphers with 4.52's libraries yields the following:
C:\Program Files\stunnel>openssl ciphers -v -tls1 DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export C:\Program Files\stunnel>As such, ciphers RC4-SHA and RC4-MD5 appear to be valid. However, any attempt at using those in client mode causes Stunnel to stall when reading the cipher from stunnel.conf:
2012.03.08 20:17:10 LOG5[432:592]: Reading configuration from file stunnel.conf 2012.03.08 20:17:10 LOG5[432:592]: FIPS mode is enabled 2012.03.08 20:17:10 LOG7[432:592]: Compression not enabled 2012.03.08 20:17:10 LOG7[432:592]: Snagged 64 random bytes from C:/.rnd 2012.03.08 20:17:10 LOG7[432:592]: Wrote 1024 new random bytes to C:/.rnd 2012.03.08 20:17:10 LOG7[432:592]: PRNG seeded successfully 2012.03.08 20:17:10 LOG6[432:592]: Initializing SSL context for service nntps.1 2012.03.08 20:17:10 LOG7[432:592]: Loaded verify certificates from peer-nntps.1.pem 2012.03.08 20:17:10 LOG7[432:592]: Loaded peer-nntps.1.pem revocation lookup file 2012.03.08 20:17:10 LOG7[432:592]: SSL options set: 0x00000004 2012.03.08 20:17:10 LOG6[432:592]: SSL context initialized 2012.03.08 20:17:10 LOG6[432:592]: Initializing SSL context for service nntps.2 2012.03.08 20:17:10 LOG7[432:592]: Loaded verify certificates from peer-nntps.2.pem 2012.03.08 20:17:10 LOG7[432:592]: Loaded peer-nntps.2.pem revocation lookup file 2012.03.08 20:17:10 LOG3[432:592]: SSL_CTX_set_cipher_list: 1410D0B9: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match 2012.03.08 20:17:10 LOG3[432:592]: Failed to reload the configuration file 2012.03.08 20:17:10 LOG7[432:592]: Signal pipe is empty ~~~~~~~~~~~~~~~~~~~~ This is the relevant snippet from my stunnel.conf file: ~~~~~~~~~~~~~~~~~~~~ debug = 7 delay = yes output = stunnel.log [nntps.1] client = yes sslVersion = TLSv1 ciphers = DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA cafile = peer-nntps.1.pem verify = 4 accept = 127.0.1.1:119 connect = news.server.com:443 [nntps.2] client = yes sslVersion = TLSv1 ciphers = RC4-SHA cafile = peer-nntps.2.pem verify = 4 accept = 127.0.1.2:119 connect = news.server.org:563 ~~~~~~~~~~~~~~~~~~~~ Any attempt at using ciphers RC4-SHA or RC4-MD5. with or without TLS specified, results in the same configuration crash. I don't really need to use those ciphers, but since I observed this behavior, I thought I'd better report it. Any comments welcome. Regards; Thomas .