[RFC,PATCH] Port stunnel to NSS - stunnel-users

28 Aug 2007


      Hello,
As a part of Fedora's atttempt to rely on a single, FIPS certified.
crypto implementation[1], I have prepared a port of stunnel to NSS,
activated by passing --with-nss to configure.  The port relies on a
currently unreleased version of nss_compat_ossl[2].
The NSS interface is rather different from OpenSSL, and many options
that are configured explicitly by applications with OpenSSL are either
not available to applications with NSS, or configured using external
tools in a "NSS database", which stores certificates, private keys and
configuration settings.
In particular:
- The EGD (option "EGD") is not supported.
- "RSA support" (loading keys as "RSA PRIVATE KEY" instead of
  "ANY PRIVATE KEY") is irrelevant, keys are stored in the NSS database
- DH key exchange is not supported for the server side
- compression (option "compression") is not supported
- OpenSSL engines (options "engine", "engineCtrl") are not supported;
  PKCS#11 plugins are configured in the NSS database
- CRLs (options "CRLpath", "CRLfile") are not configured; all CRLs
  stored in the NSS database are used automatically
- OCSP (options "OCSP", "OCSPflag") is not supported in the current
  port; NSS supports OCSP, but a CA certificate must be specified along
  with the OCSP URL.
- OpenSSL options (option "options") are not supported
- NTLM authentication for the "CONNECT" protocol is not supported
  because NSS currently does not implement MD4
- certificates (option "cert") are stored in the NSS database; the
  "cert" option contains a nickname of a certificate stored in the
  database
- CA certificates (options "CApath", "CAfile") are stored in the NSS
  database
- error_depth on certificate verification failure is not supported
To convert an existing stunnel set up to NSS, at minimum it is necessary to:
- select a NSS database directory, $SSL_DIR
  $ certutil -d $SSL_DIR -N
- import server and CA certificates:
  $ certutil -d $SSL_DIR -A -n server_cert_nickname -i server_cert.pem
- import server private key:
  $ openssl pkcs12 -export -in server_key.pem -out server_key.pfx
  $ pk12util -d $SSL_DIR -i server_key.pfx
- modify stunnel.conf to use "server_cert_nickname" instead of path to
  "server_cert.pem" in "cert"
- when starting stunnel, make sure $SSL_DIR is present in the
  environment
I'm afraid the incompatibilities are large, but the current NSS design
really requires a database, and it does not work well with separate files.
We'd like to include this NSS port of stunnel in Fedora 8 (if it doesn't
prove to be too buggy).
I'll be grateful for any comments.
    Mirek
[1] http://fedoraproject.org/wiki/FedoraCryptoConsolidation
[2] http://rcritten.fedorapeople.org/nss_compat_ossl.html