Hello Mike,
many thanks for your work.
However, I have problems with the current Stunnel versions. (I work with Windows 64bit.)
Stunnel 4.47 works without problems. Stunnel 4.51b1 however - starts only if "fips = no" is set; - not accepts my certificate and my private key (SHA384 or RMD160, AES128 or IDEA) any more:
error queue: 140B0009: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib error queue: 907B00D: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib error queue: 2306A075: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error error queue: 23077073: error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error SSL_CTX_use_PrivateKey_file: 6074079: error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm
Yours sincerely Sebastian
Sebastian Rose-Indorf wrote:
Stunnel 4.51b1 however
- starts only if "fips = no" is set;
- not accepts my certificate and my private key (SHA384 or RMD160,
AES128 or IDEA) any more:
error queue: 140B0009: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib error queue: 907B00D: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib error queue: 2306A075: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error error queue: 23077073: error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error SSL_CTX_use_PrivateKey_file: 6074079: error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm
Do you mean that stunnel does not accept non-FIPS-approved algorithms in FIPS mode? I suppose this is something to to be expected...
Or maybe you rather mean that in FIPS mode it does not start at all (what does it mean exactly?), and with FIPS mode turned off you still can't use non-FIPS algorithms?
This essay may be helpful: http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
BTW: While it's perfectly okay that OpenSSL doesn't accept IDEA as PBE algorithm (who would want to use IDEA, anyway), I'm surprised there are also problems with AES128. It might be a good idea to report it to openssl-users mailing list...
Mike
Hello Mike,
I can make only a statement about the Non-FIPS mode, because Stunnel 4.5* starts only if "fips = no" is set (without Windows gives an error message).
I have tested both a RSA-SHA384/AES128 certificate/priv-key pair and a RSA-RMD160/IDEA certificate/priv-key pair. Both does not work. (SHA384/AES128 is validated by FIPS 140-2, but not provided by PKCS12. Could it be due to it?)
Yours sincerely Sebastian
Sebastian Rose-Indorf wrote:
Stunnel 4.51b1 however
- starts only if "fips = no" is set;
- not accepts my certificate and my private key (SHA384 or RMD160,
AES128 or IDEA) any more:
error queue: 140B0009: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib error queue: 907B00D: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib error queue: 2306A075: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error error queue: 23077073: error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error SSL_CTX_use_PrivateKey_file: 6074079: error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm
Do you mean that stunnel does not accept non-FIPS-approved algorithms in FIPS mode? I suppose this is something to to be expected...
Or maybe you rather mean that in FIPS mode it does not start at all (what does it mean exactly?), and with FIPS mode turned off you still can't use non-FIPS algorithms?
This essay may be helpful: http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
BTW: While it's perfectly okay that OpenSSL doesn't accept IDEA as PBE algorithm (who would want to use IDEA, anyway), I'm surprised there are also problems with AES128. It might be a good idea to report it to openssl-users mailing list...
Mike
Hi,
Your log said there is a problem with your cert/key.
Your certificate/priv-key pair must be in RSA or DSA format key.
IDEA and RSA are part of ciphers, not part of key/cert.
Use openssl given to you to make this manipations : - Open CMD windows with administrator right - cd C:\Program Files (x86)\stunnel
And convert your PKCS12 couple key/cert to PEM format by this :
# export certificate and passphrase-less key openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes
# same as above, but you’ll be prompted for a passphrase for # the private key openssl pkcs12 -in mycert.pfx -out mycert.pem
Then verify that you PEM file is valid by that :
openssl verify mycert.pem
If it is ok, then put in your stunnel.conf cert = mycert.pem
And Retry.
Then for compatible ciphers choose,this is the build in in openssl of stunnel 4.50 or 4.51 :
C:>cd C:\Program Files (x86)\stunnel
C:\Program Files (x86)\stunnel>openssl.exe ciphers -v DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
Ludovic.
Hello Mike,
I can make only a statement about the Non-FIPS mode, because Stunnel 4.5* starts only if "fips = no" is set (without Windows gives an error message).
I have tested both a RSA-SHA384/AES128 certificate/priv-key pair and a RSA-RMD160/IDEA certificate/priv-key pair. Both does not work. (SHA384/AES128 is validated by FIPS 140-2, but not provided by PKCS12. Could it be due to it?)
Yours sincerely Sebastian
Sebastian Rose-Indorf wrote:
Stunnel 4.51b1 however
- starts only if "fips = no" is set;
- not accepts my certificate and my private key (SHA384 or RMD160,
AES128 or IDEA) any more:
error queue: 140B0009: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib error queue: 907B00D: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib error queue: 2306A075: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error error queue: 23077073: error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error SSL_CTX_use_PrivateKey_file: 6074079: error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm
Do you mean that stunnel does not accept non-FIPS-approved algorithms in FIPS mode? I suppose this is something to to be expected...
Or maybe you rather mean that in FIPS mode it does not start at all (what does it mean exactly?), and with FIPS mode turned off you still can't use non-FIPS algorithms?
This essay may be helpful: http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
BTW: While it's perfectly okay that OpenSSL doesn't accept IDEA as PBE algorithm (who would want to use IDEA, anyway), I'm surprised there are also problems with AES128. It might be a good idea to report it to openssl-users mailing list...
Mike
Hello,
many thanks for your answer.
And convert your PKCS12 couple key/cert to PEM format
Convert? I've generated my certificate/priv-key pair by: openssl genpkey -algorithm RSA -aes128 -pkeyopt rsa_keygen_bits:4096 -out key.pem openssl req -new -x509 -sha384 -priv_key.pem -verify -config openssl.conf -out cert.pem
And with Stunnel 4.47 (OpenSSL 1.0) there are no problems.
Then for compatible ciphers choose,this is the build in in openssl of stunnel 4.50 or 4.51 : ... AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
"AES128-SHA" means SHA1 and not SHA2 (e.g. SHA384), right? Stunnel 4.5* (OpenSSL 0.9.8-fips) would therefore support only SHA1 (and MD5). This would be very a pity because SHA1 is contested.
Is FIPS really so important that a Downgrade of OpenSSL from 1.0 on 0.9.8 is acceptable?
Regards Sebastian
Hi,
Your log said there is a problem with your cert/key.
Your certificate/priv-key pair must be in RSA or DSA format key.
IDEA and RSA are part of ciphers, not part of key/cert.
Use openssl given to you to make this manipations :
- Open CMD windows with administrator right
- cd C:\Program Files (x86)\stunnel
And convert your PKCS12 couple key/cert to PEM format by this :
# export certificate and passphrase-less key openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes
# same as above, but you'll be prompted for a passphrase for # the private key openssl pkcs12 -in mycert.pfx -out mycert.pem
Then verify that you PEM file is valid by that :
openssl verify mycert.pem
If it is ok, then put in your stunnel.conf cert = mycert.pem
And Retry.
Then for compatible ciphers choose,this is the build in in openssl of stunnel 4.50 or 4.51 :
C:>cd C:\Program Files (x86)\stunnel
C:\Program Files (x86)\stunnel>openssl.exe ciphers -v DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
Ludovic.
Hello Mike,
I can make only a statement about the Non-FIPS mode, because Stunnel
4.5*
starts only if "fips = no" is set (without Windows gives an error
message).
I have tested both a RSA-SHA384/AES128 certificate/priv-key pair and
a
RSA-RMD160/IDEA certificate/priv-key pair. Both does not work. (SHA384/AES128 is validated by FIPS 140-2, but not provided by
PKCS12. Could
it be due to it?)
Yours sincerely Sebastian
Sebastian Rose-Indorf wrote:
Stunnel 4.51b1 however
- starts only if "fips = no" is set;
- not accepts my certificate and my private key (SHA384 or RMD160,
AES128 or IDEA) any more:
error queue: 140B0009: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib error queue: 907B00D: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib error queue: 2306A075: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error error queue: 23077073: error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error SSL_CTX_use_PrivateKey_file: 6074079: error:06074079:digital
envelope
routines:EVP_PBE_CipherInit:unknown pbe algorithm
Do you mean that stunnel does not accept non-FIPS-approved
algorithms
in FIPS mode? I suppose this is something to to be expected...
Or maybe you rather mean that in FIPS mode it does not start at all (what does it mean exactly?), and with FIPS mode turned off you
still
can't use non-FIPS algorithms?
This essay may be helpful: http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
BTW: While it's perfectly okay that OpenSSL doesn't accept IDEA as
PBE
algorithm (who would want to use IDEA, anyway), I'm surprised there are also problems with AES128. It might be a good idea to report it to openssl-users mailing list...
Mike
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Hi,
Yes, openssl 0.9.8 will support SHA2 normaly. But the mistake here is to generate a crypted private key. Stunnel support only no crypted private key. it can't ask you passphrase.
Try with :
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out key.pem
Ludovic.
Le 11/12/2011 23:39, Sebastian Rose-Indorf a écrit :
Hello,
many thanks for your answer.
And convert your PKCS12 couple key/cert to PEM format
Convert? I've generated my certificate/priv-key pair by: openssl genpkey -algorithm RSA -aes128 -pkeyopt rsa_keygen_bits:4096 -out key.pem openssl req -new -x509 -sha384 -priv_key.pem -verify -config openssl.conf -out cert.pem
And with Stunnel 4.47 (OpenSSL 1.0) there are no problems.
Then for compatible ciphers choose,this is the build in in openssl of stunnel 4.50 or 4.51 : ... AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
"AES128-SHA" means SHA1 and not SHA2 (e.g. SHA384), right? Stunnel 4.5* (OpenSSL 0.9.8-fips) would therefore support only SHA1 (and MD5). This would be very a pity because SHA1 is contested.
Is FIPS really so important that a Downgrade of OpenSSL from 1.0 on 0.9.8 is acceptable?
Regards Sebastian
Hi,
Your log said there is a problem with your cert/key.
Your certificate/priv-key pair must be in RSA or DSA format key.
IDEA and RSA are part of ciphers, not part of key/cert.
Use openssl given to you to make this manipations :
- Open CMD windows with administrator right
- cd C:\Program Files (x86)\stunnel
And convert your PKCS12 couple key/cert to PEM format by this :
# export certificate and passphrase-less key openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes
# same as above, but you'll be prompted for a passphrase for # the private key openssl pkcs12 -in mycert.pfx -out mycert.pem
Then verify that you PEM file is valid by that :
openssl verify mycert.pem
If it is ok, then put in your stunnel.conf cert = mycert.pem
And Retry.
Then for compatible ciphers choose,this is the build in in openssl of stunnel 4.50 or 4.51 :
C:>cd C:\Program Files (x86)\stunnel
C:\Program Files (x86)\stunnel>openssl.exe ciphers -v DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1 DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1 AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1 IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
Ludovic.
Hello Mike,
I can make only a statement about the Non-FIPS mode, because Stunnel
4.5*
starts only if "fips = no" is set (without Windows gives an error
message).
I have tested both a RSA-SHA384/AES128 certificate/priv-key pair and
a
RSA-RMD160/IDEA certificate/priv-key pair. Both does not work. (SHA384/AES128 is validated by FIPS 140-2, but not provided by
PKCS12. Could
it be due to it?)
Yours sincerely Sebastian
Sebastian Rose-Indorf wrote:
Stunnel 4.51b1 however
- starts only if "fips = no" is set;
- not accepts my certificate and my private key (SHA384 or RMD160,
AES128 or IDEA) any more:
error queue: 140B0009: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:PEM lib error queue: 907B00D: error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib error queue: 2306A075: error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error error queue: 23077073: error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error SSL_CTX_use_PrivateKey_file: 6074079: error:06074079:digital
envelope
routines:EVP_PBE_CipherInit:unknown pbe algorithm
Do you mean that stunnel does not accept non-FIPS-approved
algorithms
in FIPS mode? I suppose this is something to to be expected...
Or maybe you rather mean that in FIPS mode it does not start at all (what does it mean exactly?), and with FIPS mode turned off you
still
can't use non-FIPS algorithms?
This essay may be helpful: http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
BTW: While it's perfectly okay that OpenSSL doesn't accept IDEA as
PBE
algorithm (who would want to use IDEA, anyway), I'm surprised there are also problems with AES128. It might be a good idea to report it to openssl-users mailing list...
Mike
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Hi Mike,
But i have save the same problem than Sebastian with 4.50. I'm not able to make decrypt my priv key with any ciphers.
No working : openssl genpkey -algorithm RSA -aes-128-cbc -pkeyopt rsa_keygen_bits:4096 -out key.pem openssl req -new -x509 -sha384 -key key.pem -verify -out cert.pem or openssl genpkey -algorithm RSA -des3 -pkeyopt rsa_keygen_bits:4096 -out key.pem openssl req -new -x509 -sha384 -key key.pem -verify -out cert.pem
Error is : SSL_CTX_use_PrivateKey_file: 6074079: error:06074079:digital envelope routines:EVP_PBE_CipherInit:unknown pbe algorithm
Working (then without encryption passphrase) : openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out key.pem openssl req -new -x509 -sha384 -key key.pem -verify -out cert.pem
Ludovic.
Le 12/12/2011 12:51, Michal Trojnara a écrit :
Ludovic LEVET wrote:
Stunnel support only no crypted private key. it can't ask you passphrase.
Well... It was true (at least on Windows) until version 4.04 (released 12 Jan 2003).
Mike
Ludovic LEVET wrote:
But i have save the same problem than Sebastian with 4.50. I'm not able to make decrypt my priv key with any ciphers.
Works for me.
Certificate created with: openssl.exe req -new -x509 -days 365 -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem
stunnel.cnf from Win32 distribution of stunnel, with "encrypt_key = no" commented out.
I guess you have used some features only available in OpenSSL 1.0.x: C:\Program Files\stunnel>openssl genpkey openssl:Error: 'genpkey' is an invalid command.
Mike
Yes, i test with openssl 1.0.0 for generate cert. This is the mistake.
The headers are changed :
openssl 1.0.0 key :
-----BEGIN ENCRYPTED PRIVATE KEY----- MIIJnzBJBgkqhkiG9w0BBQ0wPDAbBgkqhkiG9w0BBQwwDgQI0Z45oYYRJ1cCAggA MB0GCWCGSAFlAwQBAgQQF4QLI0IILDItqQFXHJeAxgSCCVBAo1Ed9BHwyhHeBzx2 rQELkAghar26CFsP7qvMwZ+vnATbArA2MvFWJWy0l2pl7/Rn7RcoztbSzg82c8IG ...
openssl 0.9.8 key :
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,327E4B06D51C7728
grestO9v2wfiqFwBy8bBbpNjMWpFrrc/9y8q68n6c48enCFyDsdVlyqToOQ+Razt d98I+rkTow33X83e9+Zt8rGlKJlPXn3zHTKbjNhfc7j6kk+ssWJft5OAvu5NShMx FOATl4pW97qCf1x4pFwQGm8/8MhCqOpqv2cLfjz2T4Egu1qP2sHZ35QU/gHBLHYh ...
Ludovic.
Le 12/12/2011 15:36, Michal Trojnara a écrit :
Ludovic LEVET wrote:
But i have save the same problem than Sebastian with 4.50. I'm not able to make decrypt my priv key with any ciphers.
Works for me.
Certificate created with: openssl.exe req -new -x509 -days 365 -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem
stunnel.cnf from Win32 distribution of stunnel, with "encrypt_key = no" commented out.
I guess you have used some features only available in OpenSSL 1.0.x: C:\Program Files\stunnel>openssl genpkey openssl:Error: 'genpkey' is an invalid command.
Mike
So, for you Sebastian it will be :
Use openssl given to you to make this manipations : - Open CMD windows with administrator right - cd C:\Program Files (x86)\stunnel
openssl.exe genrsa -aes128 -out mykey.key 4096 openssl.exe req -new -x509 -sha384 -days 365 -key mykey.key -verify -config stunnel.cnf -out cert.crt copy mycert.pem+cert.crt=mycert.pem
Ludo.
-
Ludovic LEVET -
Michal Trojnara -
Sebastian Rose-Indorf