[stunnel-users] Stunnel.conf won't load with certain ciphers.

Thomas Eifert kxkvi at wi.rr.com
Fri Mar 9 03:44:57 CET 2012 

Hello all:

I'm running Stunnel 4.52 under WinXP SP3.

Last night I had some questions about how the cipher list in Stunnel 
interacts with the
cipher negotiation routine between client and server, so I did some 
experiments in an
attempt to address those questions.

In the course of doing so, I noticed that, if I attempt to load certain 
ciphers, Stunnel
would stall at configuration load.

Using OpenSSL to list TLS ciphers with 4.52's libraries yields the 
following:

~~~~~~~~~~~~~~~~~~~~~

C:\Program Files\stunnel>openssl ciphers -v -tls1

DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 
export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 
export
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 
export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  
export
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  
export

C:\Program Files\stunnel>

~~~~~~~~~~~~~~~~~~~~~

As such, ciphers RC4-SHA and RC4-MD5 appear to be valid.  However, any 
attempt at using those
in client mode causes Stunnel to stall when reading the cipher from 
stunnel.conf:

~~~~~~~~~~~~~~~~~~~~~

2012.03.08 20:17:10 LOG5[432:592]: Reading configuration from file 
stunnel.conf
2012.03.08 20:17:10 LOG5[432:592]: FIPS mode is enabled
2012.03.08 20:17:10 LOG7[432:592]: Compression not enabled
2012.03.08 20:17:10 LOG7[432:592]: Snagged 64 random bytes from C:/.rnd
2012.03.08 20:17:10 LOG7[432:592]: Wrote 1024 new random bytes to C:/.rnd
2012.03.08 20:17:10 LOG7[432:592]: PRNG seeded successfully
2012.03.08 20:17:10 LOG6[432:592]: Initializing SSL context for service 
nntps.1
2012.03.08 20:17:10 LOG7[432:592]: Loaded verify certificates from 
peer-nntps.1.pem
2012.03.08 20:17:10 LOG7[432:592]: Loaded peer-nntps.1.pem revocation 
lookup file
2012.03.08 20:17:10 LOG7[432:592]: SSL options set: 0x00000004
2012.03.08 20:17:10 LOG6[432:592]: SSL context initialized
2012.03.08 20:17:10 LOG6[432:592]: Initializing SSL context for service 
nntps.2
2012.03.08 20:17:10 LOG7[432:592]: Loaded verify certificates from 
peer-nntps.2.pem
2012.03.08 20:17:10 LOG7[432:592]: Loaded peer-nntps.2.pem revocation 
lookup file
2012.03.08 20:17:10 LOG3[432:592]: SSL_CTX_set_cipher_list: 1410D0B9: 
error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
2012.03.08 20:17:10 LOG3[432:592]: Failed to reload the configuration file
2012.03.08 20:17:10 LOG7[432:592]: Signal pipe is empty

~~~~~~~~~~~~~~~~~~~~

This is the relevant snippet from my stunnel.conf file:

~~~~~~~~~~~~~~~~~~~~

debug = 7
delay = yes
output = stunnel.log

[nntps.1]
client = yes
sslVersion = TLSv1
ciphers = DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA
cafile = peer-nntps.1.pem
verify = 4
accept = 127.0.1.1:119
connect = news.server.com:443

[nntps.2]
client = yes
sslVersion = TLSv1
ciphers = RC4-SHA
cafile = peer-nntps.2.pem
verify = 4
accept = 127.0.1.2:119
connect = news.server.org:563

~~~~~~~~~~~~~~~~~~~~

Any attempt at using ciphers RC4-SHA or RC4-MD5. with or without TLS 
specified, results in
the same configuration crash.

I don't really need to use those ciphers, but since I observed this 
behavior, I thought I'd better
report it.

Any comments welcome.

Regards;

Thomas
.

-- 
Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately.

More information about the stunnel-users mailing list