[stunnel-users] stunnel-users Digest, Vol 57, Issue 10

Brian P Hinz bphinz at hotmail.com
Wed Apr 22 06:53:52 CEST 2009 

>> Does stunnel support the use of the aNULL cipher suites?  I can't
>> seem to make it work, stunnel just fails with a "no shared
>> ciphers" message.  I don't think that the problem is with openssl
>> or the client, since when I test it with s_server the handshake
>> completes. 
>> 
>
>
>Review the default cipher list.
>
>Do...
>
>stunnel -version
>
>
>Then edit configuration file ciphers options to suit requirements.

I was trying to get stunnel working with anonymous ciphers (SSL_DH_anon_WITH_RC4_MD5_128, etc.) from a java based client and found that s_server succeeded while stunnel failed with the "no shared ciphers" message because it has routines to initialize a temporary DH key in the absence of a certificate.  Here's a sloppy patch that just borrows those routines from the s_server source code.  This is against an older version of stunnel (RHEL4u7 based system), but the latest version also fails without similar patching.

Cheers,
-brian

# cat /usr/src/redhat/SOURCES/stunnel-4.05-dhe.patch 
--- stunnel-4.05/src/ssl.c.dhe	2004-01-25 14:26:03.000000000 -0500
+++ stunnel-4.05/src/ssl.c	2009-04-22 00:11:10.000000000 -0400
@@ -236,6 +236,32 @@
     return -1; /* FAILED */
 }
 
+static unsigned char dh512_p[]={
+	0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
+	0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
+	0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
+	0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
+	0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
+	0x47,0x74,0xE8,0x33,
+};
+
+static unsigned char dh512_g[]={
+	0x02,
+};
+
+static DH *get_dh512(void);
+
+static DH *get_dh512(void) {
+	DH *dh=NULL;
+
+  if ((dh=DH_new()) == NULL) return(NULL);
+  dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
+  dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
+  if ((dh->p == NULL) || (dh->g == NULL))
+    return(NULL);
+  return(dh);
+}
+
 static int init_dh(void) {
 #ifdef USE_DH
     FILE *fp;
@@ -274,6 +300,12 @@
     log(LOG_INFO, "Diffie-Hellman initialized with %d bit key",
         8*DH_size(dh));
     DH_free(dh);
+#else
+    DH *dh=NULL;
+    log(LOG_INFO,"Using default temp DH parameters\n");
+    dh=get_dh512();
+    SSL_CTX_set_tmp_dh(ctx,dh);
+    DH_free(dh);
 #endif /* USE_DH */
     return 0; /* OK */
 }

More information about the stunnel-users mailing list