Hi,
since stunnel 5.62 it does not take the passphrase for a client key anymore, instead it gives a 'bad decrypt' log at once.
It is the same behaviour at Debian/sid Distro as well as with Windows10.
Up to stunnel 5.61 the same stunnel.conf is accepted and the key gets loaded.
Here is the top of our stunnel.conf:
cert = /home/regula/cert.pem key = /home/regula/cert.key
client = yes
[-- snip --]
Calling stunnel at the bash:
$ stunnel stunnel.conf [-- snip --] [ ] Loading certificate from file: /home/regula/cert.pem [ ] Certificate loaded from file: /home/regula/cert.pem [ ] Loading private key from file: /home/regula/cert.key [!] error queue: ../ssl/ssl_rsa.c:384: error:0A080009:SSL routines::PEM lib [!] error queue: ../crypto/pkcs12/p12_decr.c:86: error:11800074:PKCS12 routines::pkcs12 cipherfinal error [!] error queue: ../providers/implementations/ciphers/ciphercommon_block.c:124: error:1C800064:Provider routines::bad decrypt [!] error queue: ../crypto/pkcs12/p12_decr.c:86: error:11800074:PKCS12 routines::pkcs12 cipherfinal error [!] SSL_CTX_use_PrivateKey_file: ../providers/implementations/ciphers/ciphercommon_block.c:124: error:1C800064:Provider routines::bad decrypt [!] Service [guacamole]: Failed to initialize TLS context [!] Configuration failed [-- snip --]
$ ls -lh *pem *key -r-------- 1 regula regula 3,4K 22. Jun 16:52 cert.key -r-------- 1 regula regula 2,2K 22. Jun 16:45 cert.pem
openssl does show the enter passphrase dialog and displays the private key:
$ $ openssl rsa -in cert.key Enter pass phrase for cert.key: writing RSA key -----BEGIN PRIVATE KEY----- [-- snip --] -----END PRIVATE KEY-----
~$ dpkg -l|grep openssl ii openssl 3.0.4-2 amd64 Secure Sockets Layer toolkit - cryptographic utility ~$ dpkg -l|grep stunnel ii stunnel4 3:5.63-1+b1 amd64 Universal SSL tunnel for network daemons
Why is there a different behaviour between openssl and stunnel > 5.61 in loading a private key file?
Regards, Johann
Hi Johann,
I investigated this issue it and I found out that encrypted private keys were never working with OpenSSL 3.0 (regardless of stunnel version).
Thank you very much for reporting this bug!
Please try building https://www.stunnel.org/downloads/beta/stunnel-5.66b1.tar.gz from source. It works fine in my tests.
Also, https://www.stunnel.org/downloads/beta/stunnel-5.66b1-win64-installer.exe should fix it on Windows.
Best regards, Mike
On 15/08/2022 16:26, Johann Hörmann via stunnel-users wrote:
Hi,
since stunnel 5.62 it does not take the passphrase for a client key anymore, instead it gives a 'bad decrypt' log at once.
It is the same behaviour at Debian/sid Distro as well as with Windows10.
Up to stunnel 5.61 the same stunnel.conf is accepted and the key gets loaded.
Here is the top of our stunnel.conf:
cert = /home/regula/cert.pem key = /home/regula/cert.key
client = yes
[-- snip --]
Calling stunnel at the bash:
$ stunnel stunnel.conf [-- snip --] [ ] Loading certificate from file: /home/regula/cert.pem [ ] Certificate loaded from file: /home/regula/cert.pem [ ] Loading private key from file: /home/regula/cert.key [!] error queue: ../ssl/ssl_rsa.c:384: error:0A080009:SSL routines::PEM lib [!] error queue: ../crypto/pkcs12/p12_decr.c:86: error:11800074:PKCS12 routines::pkcs12 cipherfinal error [!] error queue: ../providers/implementations/ciphers/ciphercommon_block.c:124: error:1C800064:Provider routines::bad decrypt [!] error queue: ../crypto/pkcs12/p12_decr.c:86: error:11800074:PKCS12 routines::pkcs12 cipherfinal error [!] SSL_CTX_use_PrivateKey_file: ../providers/implementations/ciphers/ciphercommon_block.c:124: error:1C800064:Provider routines::bad decrypt [!] Service [guacamole]: Failed to initialize TLS context [!] Configuration failed [-- snip --]
$ ls -lh *pem *key -r-------- 1 regula regula 3,4K 22. Jun 16:52 cert.key -r-------- 1 regula regula 2,2K 22. Jun 16:45 cert.pem
openssl does show the enter passphrase dialog and displays the private key:
$ $ openssl rsa -in cert.key Enter pass phrase for cert.key: writing RSA key -----BEGIN PRIVATE KEY----- [-- snip --] -----END PRIVATE KEY-----
~$ dpkg -l|grep openssl ii openssl 3.0.4-2 amd64 Secure Sockets Layer toolkit - cryptographic utility ~$ dpkg -l|grep stunnel ii stunnel4 3:5.63-1+b1 amd64 Universal SSL tunnel for network daemons
Why is there a different behaviour between openssl and stunnel > 5.61 in loading a private key file?
Regards, Johann
-
Johann Hörmann -
Michał Trojnara