[stunnel-users] Problems with Stunnel 4.5*

Ludovic LEVET llevet at ludosoft.org
Thu Dec 8 23:55:47 CET 2011


Hi,

Your log said there is a problem with your cert/key.

Your certificate/priv-key pair must be in RSA or DSA format key.

IDEA and RSA are part of ciphers, not part of key/cert.

Use openssl given to you to make this manipations :
- Open CMD windows with administrator right
- cd C:\Program Files (x86)\stunnel


And convert your PKCS12 couple key/cert to PEM format by this :

# export certificate and passphrase-less key
openssl pkcs12 -in mycert.pfx -out mycert.pem -nodes

# same as above, but you’ll be prompted for a passphrase for
# the private key
openssl pkcs12 -in mycert.pfx -out mycert.pem


Then verify that you PEM file is valid by that :

openssl verify mycert.pem

If it is ok, then put in your stunnel.conf
cert = mycert.pem

And Retry.


Then for compatible ciphers choose,this is the build in in openssl of
stunnel 4.50 or 4.51 :


C:\>cd C:\Program Files (x86)\stunnel

C:\Program Files (x86)\stunnel>openssl.exe ciphers -v
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1
EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1
DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1
DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export
EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export




Ludovic.


> Hello Mike,
>
> I can make only a statement about the Non-FIPS mode, because Stunnel 4.5*
> starts only if "fips = no" is set (without Windows gives an error message).
>
> I have tested both a RSA-SHA384/AES128 certificate/priv-key pair and a
> RSA-RMD160/IDEA certificate/priv-key pair. Both does not work.
> (SHA384/AES128 is validated by FIPS 140-2, but not provided by PKCS12. Could
> it be due to it?)
>
> Yours sincerely
> Sebastian
>
>> Sebastian Rose-Indorf wrote:
>>> Stunnel 4.51b1 however
>>> - starts only if "fips = no" is set;
>>> - not accepts my certificate and my private key (SHA384 or RMD160,
>>> AES128
>>> or IDEA) any more:
>>>
>>> error queue: 140B0009: error:140B0009:SSL
>>> routines:SSL_CTX_use_PrivateKey_file:PEM lib
>>> error queue: 907B00D: error:0907B00D:PEM
>>> routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib
>>> error queue: 2306A075: error:2306A075:PKCS12
>>> routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error
>>> error queue: 23077073: error:23077073:PKCS12
>>> routines:PKCS12_pbe_crypt:pkcs12 algor cipherinit error
>>> SSL_CTX_use_PrivateKey_file: 6074079: error:06074079:digital envelope
>>> routines:EVP_PBE_CipherInit:unknown pbe algorithm
>> Do you mean that stunnel does not accept non-FIPS-approved algorithms
>> in FIPS mode?  I suppose this is something to to be expected...
>>
>> Or maybe you rather mean that in FIPS mode it does not start at all
>> (what does it mean exactly?), and with FIPS mode turned off you still
>> can't use non-FIPS algorithms?
>>
>> This essay may be helpful:
>> http://www.chiark.greenend.org.uk/~sgtatham/bugs.html
>>
>> BTW: While it's perfectly okay that OpenSSL doesn't accept IDEA as PBE
>> algorithm (who would want to use IDEA, anyway), I'm surprised there
>> are also problems with AES128.  It might be a good idea to report it
>> to openssl-users mailing list...
>>
>> Mike




More information about the stunnel-users mailing list