Dear stunnel managers,
I would like to inform you that there exist some incompatibility with stunnel and openssl pkcs11-engine with external PIN entry device (like RSA smartcard using opensc) in Linux.
We use this config to load openssl engine stunnel.conf: --- engine=dynamic engineCtrl=SO_PATH:/usr/lib/engines/engine_pkcs11.so engineCtrl=ID:pkcs11 engineCtrl=LIST_ADD:1 engineCtrl=LOAD engineCtrl=MODULE_PATH:/usr/lib/opensc-pkcs11.so engineCtrl=INIT ---
Problem is, with this setup stunnel does not allow user to enter PIN for the secret key. Instead it tries to get secret key without PIN, 3 times (and then therefore usually blocks card PIN) and retires: ---- Initializing engine 1 Engine 1 initialized PRNG seeded successfully Certificate: mart.pem Certificate loaded Key file: id_01 error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_key:failed loading private key error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect Wrong PIN: retrying error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_key:failed loading private key error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect Wrong PIN: retrying error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_key:failed loading private key ENGINE_load_private_key: 800050A0: error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect ----
I discovered workaround that is valid form version 4.26 till current 4.34, as follows, NULL-ing the ui_data.method property in ctx.c: --- diff -cr stunnel-4.34/src/ctx.c stunnel-4.34-patched/src/ctx.c *** stunnel-4.34/src/ctx.c 2010-09-14 18:08:43.000000000 +0300 --- stunnel-4.34-patched/src/ctx.c 2010-09-28 21:56:36.219081931 +0300 *************** *** 304,309 **** --- 304,310 ---- UI_method_set_reader(ui_method, pin_cb); #else /* USE_WIN32 */ ui_method=UI_OpenSSL(); + ui_data.section = NULL; #endif /* USE_WIN32 */ if(section->engine) for(i=1; i<=3; i++) { ---
After that patch private key loads correctly: --- Initializing engine 1 Engine 1 initialized PRNG seeded successfully Certificate: mart.pem Certificate loaded Key file: id_01 private key loaded ---
It would be nice if: * somebody investigates more precisely why the OpenSSL PIN entry is not showing with unpached stunnel * include my or better patch for this situation
Thank you very much for excellent piece of software!
With best regards, Märt Laak
Dear stunnel users,
As there is no development/patches related this issue I made Wiki page describing the problem and offering temporary solution/pathes: http://martlaak.wikispaces.com/Stunnel+and+engine_pkcs11 PS! You can also download patched windows build from that page.
With best regards, Märt Laak
On Sun, Oct 3, 2010 at 10:49 AM, Märt Laak martlaak@gmail.com wrote:
Dear stunnel managers,
I would like to inform you that there exist some incompatibility with stunnel and openssl pkcs11-engine with external PIN entry device (like RSA smartcard using opensc) in Linux.
We use this config to load openssl engine stunnel.conf:
engine=dynamic engineCtrl=SO_PATH:/usr/lib/**engines/engine_pkcs11.so engineCtrl=ID:pkcs11 engineCtrl=LIST_ADD:1 engineCtrl=LOAD engineCtrl=MODULE_PATH:/usr/**lib/opensc-pkcs11.so engineCtrl=INIT
Problem is, with this setup stunnel does not allow user to enter PIN for the secret key. Instead it tries to get secret key without PIN, 3 times (and then therefore usually blocks card PIN) and retires:
Initializing engine 1 Engine 1 initialized PRNG seeded successfully Certificate: mart.pem Certificate loaded Key file: id_01 error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_ **key:failed loading private key error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect Wrong PIN: retrying error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_ **key:failed loading private key error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect Wrong PIN: retrying error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_ **key:failed loading private key ENGINE_load_private_key: 800050A0: error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect
I discovered workaround that is valid form version 4.26 till current 4.34, as follows, NULL-ing the ui_data.method property in ctx.c:
diff -cr stunnel-4.34/src/ctx.c stunnel-4.34-patched/src/ctx.c *** stunnel-4.34/src/ctx.c 2010-09-14 18:08:43.000000000 +0300 --- stunnel-4.34-patched/src/ctx.c 2010-09-28 21:56:36.219081931 +0300
*** 304,309 **** --- 304,310 ---- UI_method_set_reader(ui_**method, pin_cb); #else /* USE_WIN32 */ ui_method=UI_OpenSSL();
ui_data.section = NULL;#endif /* USE_WIN32 */ if(section->engine) for(i=1; i<=3; i++) {
After that patch private key loads correctly:
Initializing engine 1 Engine 1 initialized PRNG seeded successfully Certificate: mart.pem Certificate loaded Key file: id_01 private key loaded
It would be nice if:
- somebody investigates more precisely why the OpenSSL PIN entry is not
showing with unpached stunnel
- include my or better patch for this situation
Thank you very much for excellent piece of software!
With best regards, Märt Laak
Hi Märt,
Thank you very much.
Isn't it better to fix broken engine library that uses user callback data, instead of applying a crude workaround to stunnel? This library is clearly abusing the OpenSSL API.
Mike
On Sunday, 29 of January 2012, Märt Laak wrote:
Dear stunnel users,
As there is no development/patches related this issue I made Wiki page describing the problem and offering temporary solution/pathes: http://martlaak.wikispaces.com/Stunnel+and+engine_pkcs11 PS! You can also download patched windows build from that page.
With best regards, Märt Laak
On Sun, Oct 3, 2010 at 10:49 AM, Märt Laak martlaak@gmail.com wrote:
Dear stunnel managers,
I would like to inform you that there exist some incompatibility with stunnel and openssl pkcs11-engine with external PIN entry device (like RSA smartcard using opensc) in Linux.
We use this config to load openssl engine stunnel.conf:
engine=dynamic engineCtrl=SO_PATH:/usr/lib/**engines/engine_pkcs11.so engineCtrl=ID:pkcs11 engineCtrl=LIST_ADD:1 engineCtrl=LOAD engineCtrl=MODULE_PATH:/usr/**lib/opensc-pkcs11.so engineCtrl=INIT
Problem is, with this setup stunnel does not allow user to enter PIN for the secret key. Instead it tries to get secret key without PIN, 3 times (and then therefore usually blocks card PIN) and retires:
Initializing engine 1 Engine 1 initialized PRNG seeded successfully Certificate: mart.pem Certificate loaded Key file: id_01 error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_ **key:failed loading private key error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect Wrong PIN: retrying error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_ **key:failed loading private key error queue: 800050A0 : error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect Wrong PIN: retrying error queue: 26096080 : error:26096080:engine routines:ENGINE_load_private_ **key:failed loading private key ENGINE_load_private_key: 800050A0: error:800050A0:PKCS11 library:PKCS11_login:PIN incorrect
I discovered workaround that is valid form version 4.26 till current 4.34, as follows, NULL-ing the ui_data.method property in ctx.c:
diff -cr stunnel-4.34/src/ctx.c stunnel-4.34-patched/src/ctx.c *** stunnel-4.34/src/ctx.c 2010-09-14 18:08:43.000000000 +0300 --- stunnel-4.34-patched/src/ctx.c 2010-09-28 21:56:36.219081931 +0300
*** 304,309 **** --- 304,310 ----
UI_method_set_reader(ui_**method, pin_cb);#else /* USE_WIN32 */
ui_method=UI_OpenSSL();
ui_data.section = NULL;#endif /* USE_WIN32 */
if(section->engine) for(i=1; i<=3; i++) {
After that patch private key loads correctly:
Initializing engine 1 Engine 1 initialized PRNG seeded successfully Certificate: mart.pem Certificate loaded Key file: id_01 private key loaded
It would be nice if:
- somebody investigates more precisely why the OpenSSL PIN entry is not
showing with unpached stunnel
- include my or better patch for this situation
Thank you very much for excellent piece of software!
With best regards, Märt Laak
-
Michal Trojnara -
Märt Laak