[stunnel-users] Problem with openssl engine
Nick Sayer
nsayer at kfu.com
Sat Feb 27 17:17:42 CET 2010
I'm trying to use a smart card to hold on to the private key for my server. Since access to the smart card is restricted to one process at a time (not sure why it can't be shared, but that's a whole separate discussion), I'd like to use stunnel as the machine-wide SSL proxy. The problem is that with the pkcs11 engine configuration set up, it fails.
2010.02.27 00:15:03 LOG5[91580:0]: imaps accepted connection from 71.141.64.2:32934
2010.02.27 00:15:03 LOG7[91580:0]: SSL state (accept): before/accept initialization
2010.02.27 00:15:03 LOG7[91580:0]: SSL state (accept): SSLv3 read client hello A
2010.02.27 00:15:03 LOG7[91580:0]: SSL state (accept): SSLv3 write server hello A
2010.02.27 00:15:03 LOG7[91580:0]: SSL state (accept): SSLv3 write certificate A
2010.02.27 00:15:03 LOG7[91580:0]: SSL state (accept): SSLv3 write server done A
2010.02.27 00:15:03 LOG7[91580:0]: SSL state (accept): SSLv3 flush data
2010.02.27 00:15:03 LOG7[91580:0]: SSL state (accept): SSLv3 read client key exchange A
2010.02.27 00:15:03 LOG7[91580:0]: SSL alert (write): fatal: bad record mac
2010.02.27 00:15:03 LOG3[91580:0]: SSL_accept: 1408F119: error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
2010.02.27 00:15:03 LOG5[91580:0]: Connection reset: 0 bytes sent to SSL, 0 bytes sent to socket
2010.02.27 00:15:03 LOG7[91576:0]: Cleaning up the signal pipe
2010.02.27 00:15:03 LOG7[91576:0]: Process 91580 finished with code 0 (0 left)
^C2010.02.27 00:15:42 LOG3[91576:0]: Received signal 2; terminating
This happens *whether or not* I use the private key on the smart card itself. If I load the private key from a disk file, it still happens - even if there is no engineNum statement in the service configuration block. The only way to make it not happen is to comment out the engineCtrl lines.
engine=dynamic
engineCtrl=SO_PATH:/usr/local/lib/engines/engine_pkcs11.so
engineCtrl=ID:pkcs11
engineCtrl=LIST_ADD:1
engineCtrl=LOAD
engineCtrl=MODULE_PATH:/usr/local/lib/pkcs11/opensc-pkcs11.so
engineCtrl=INIT
engineCtrl=PIN:12345678
[imaps]
accept = 4993
connect = 143
engineNum = 1
key = id_10
;cert = id_10
cert = /www.crt
It's also worth noting that stunnel seems unable to pull the cert out of the card - that cert=id_10 line should work (works with openssl s_server).
This stunnel was compiled last night from the FreeBSD ports tree with WITH_STUNNEL_SSL_ENGINE turned on.
stunnel 4.29 on i386-portbld-freebsd8.0 with OpenSSL 0.9.8k 25 Mar 2009
Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6
Global options
debug = 5
pid = /var/tmp/run/stunnel/stunnel.pid
RNDbytes = 64
RNDfile = /dev/urandom
RNDoverwrite = yes
Service-level options
cert = /usr/local/etc/stunnel/stunnel.pem
ciphers = AES:ALL:!aNULL:!eNULL:+RC4:@STRENGTH
key = /usr/local/etc/stunnel/stunnel.pem
session = 300 seconds
stack = 65536 bytes
sslVersion = SSLv3 for client, all for server
TIMEOUTbusy = 300 seconds
TIMEOUTclose = 60 seconds
TIMEOUTconnect = 10 seconds
TIMEOUTidle = 43200 seconds
verify = none
Note that the same card in the same system can successfully provide ssl server sockets with Java using the Sun PKCS11 JCE provider configured to talk to the opensc PKCS11 module. So there's nothing wrong with the card.
More information about the stunnel-users
mailing list