[stunnel-users] Stunnel.conf won't load with certain ciphers.

Thomas Eifert kxkvi at wi.rr.com
Fri Mar 9 06:40:43 CET 2012 

Update:

I uninstalled version 4.52, then reinstalled version 4.47.  RC4-SHA 
cipher now works correctly,
with the same stunnel.conf.

~~~~~~~~~~~~~~~~~~~~~~

2012.03.08 23:36:50 LOG5[420:580]: stunnel 4.47 on x86-pc-mingw32-gnu 
platform
2012.03.08 23:36:50 LOG5[420:580]: Compiled/running with OpenSSL 1.0.0e 
6 Sep 2011
2012.03.08 23:36:50 LOG5[420:580]: Threading:WIN32 SSL:ENGINE Auth:none 
Sockets:SELECT,IPv6
2012.03.08 23:36:50 LOG5[420:580]: Reading configuration from file 
stunnel.conf
2012.03.08 23:36:50 LOG6[420:580]: Initializing SSL context for service 
nntps.1
2012.03.08 23:36:50 LOG6[420:580]: SSL context initialized
2012.03.08 23:36:50 LOG6[420:580]: Initializing SSL context for service 
nntps.2
2012.03.08 23:36:50 LOG6[420:580]: SSL context initialized
2012.03.08 23:36:50 LOG5[420:580]: Configuration successful
2012.03.08 23:37:08 LOG5[420:2804]: Service nntps.2 accepted connection 
from 127.0.1.2:1033
2012.03.08 23:37:08 LOG6[420:2804]: connect_blocking: connecting 
88.198.244.100:563
2012.03.08 23:37:09 LOG5[420:2804]: connect_blocking: connected 
88.198.244.100:563
2012.03.08 23:37:09 LOG5[420:2804]: Service nntps.2 connected remote 
server from 173.89.4.172:1034
2012.03.08 23:37:09 LOG5[420:2804]: Certificate accepted: depth=2, 
/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom 
Certification Authority
2012.03.08 23:37:09 LOG5[420:2804]: Certificate accepted: depth=1, 
/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom 
Class 1 Primary Intermediate Server CA
2012.03.08 23:37:09 LOG6[420:2804]: CERT: Locally installed certificate 
matched
2012.03.08 23:37:09 LOG5[420:2804]: Certificate accepted: depth=0, 
/description=436134-bRSt8Rml1Sum890r/CN=news.eternal-september.org/emailAddress=wolfgang at weyand-hg.de
2012.03.08 23:37:09 LOG6[420:2804]: SSL connected: new session negotiated
2012.03.08 23:37:09 LOG6[420:2804]: Negotiated ciphers: RC4-SHA SSLv3 
Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
2012.03.08 23:37:20 LOG6[420:2804]: SSL_shutdown successfully sent 
close_notify
2012.03.08 23:37:20 LOG5[420:2804]: Connection closed: 1251 bytes sent 
to SSL, 1861 bytes sent to socket

Regards;

Thomas

On 3/8/2012 8:44 PM, Thomas Eifert wrote:
> Hello all:
>
> I'm running Stunnel 4.52 under WinXP SP3.
>
> Last night I had some questions about how the cipher list in Stunnel 
> interacts with the
> cipher negotiation routine between client and server, so I did some 
> experiments in an
> attempt to address those questions.
>
> In the course of doing so, I noticed that, if I attempt to load 
> certain ciphers, Stunnel
> would stall at configuration load.
>
> Using OpenSSL to list TLS ciphers with 4.52's libraries yields the 
> following:
>
> ~~~~~~~~~~~~~~~~~~~~~
>
> C:\Program Files\stunnel>openssl ciphers -v -tls1
>
> DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
> DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
> AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
> EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
> EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
> DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
> DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
> DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
> AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
> IDEA-CBC-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=IDEA(128) Mac=SHA1
> RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
> RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
> EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
> EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
> DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
> EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   
> Mac=SHA1 export
> EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   
> Mac=SHA1 export
> EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   
> Mac=SHA1 export
> EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   
> Mac=MD5  export
> EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   
> Mac=MD5  export
>
> C:\Program Files\stunnel>
>
> ~~~~~~~~~~~~~~~~~~~~~
>
> As such, ciphers RC4-SHA and RC4-MD5 appear to be valid.  However, any 
> attempt at using those
> in client mode causes Stunnel to stall when reading the cipher from 
> stunnel.conf:
>
> ~~~~~~~~~~~~~~~~~~~~~
>
> 2012.03.08 20:17:10 LOG5[432:592]: Reading configuration from file 
> stunnel.conf
> 2012.03.08 20:17:10 LOG5[432:592]: FIPS mode is enabled
> 2012.03.08 20:17:10 LOG7[432:592]: Compression not enabled
> 2012.03.08 20:17:10 LOG7[432:592]: Snagged 64 random bytes from C:/.rnd
> 2012.03.08 20:17:10 LOG7[432:592]: Wrote 1024 new random bytes to C:/.rnd
> 2012.03.08 20:17:10 LOG7[432:592]: PRNG seeded successfully
> 2012.03.08 20:17:10 LOG6[432:592]: Initializing SSL context for 
> service nntps.1
> 2012.03.08 20:17:10 LOG7[432:592]: Loaded verify certificates from 
> peer-nntps.1.pem
> 2012.03.08 20:17:10 LOG7[432:592]: Loaded peer-nntps.1.pem revocation 
> lookup file
> 2012.03.08 20:17:10 LOG7[432:592]: SSL options set: 0x00000004
> 2012.03.08 20:17:10 LOG6[432:592]: SSL context initialized
> 2012.03.08 20:17:10 LOG6[432:592]: Initializing SSL context for 
> service nntps.2
> 2012.03.08 20:17:10 LOG7[432:592]: Loaded verify certificates from 
> peer-nntps.2.pem
> 2012.03.08 20:17:10 LOG7[432:592]: Loaded peer-nntps.2.pem revocation 
> lookup file
> 2012.03.08 20:17:10 LOG3[432:592]: SSL_CTX_set_cipher_list: 1410D0B9: 
> error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
> 2012.03.08 20:17:10 LOG3[432:592]: Failed to reload the configuration 
> file
> 2012.03.08 20:17:10 LOG7[432:592]: Signal pipe is empty
>
> ~~~~~~~~~~~~~~~~~~~~
>
> This is the relevant snippet from my stunnel.conf file:
>
> ~~~~~~~~~~~~~~~~~~~~
>
> debug = 7
> delay = yes
> output = stunnel.log
>
> [nntps.1]
> client = yes
> sslVersion = TLSv1
> ciphers = DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:AES256-SHA
> cafile = peer-nntps.1.pem
> verify = 4
> accept = 127.0.1.1:119
> connect = news.server.com:443
>
> [nntps.2]
> client = yes
> sslVersion = TLSv1
> ciphers = RC4-SHA
> cafile = peer-nntps.2.pem
> verify = 4
> accept = 127.0.1.2:119
> connect = news.server.org:563
>
> ~~~~~~~~~~~~~~~~~~~~
>
> Any attempt at using ciphers RC4-SHA or RC4-MD5. with or without TLS 
> specified, results in
> the same configuration crash.
>
> I don't really need to use those ciphers, but since I observed this 
> behavior, I thought I'd better
> report it.
>
> Any comments welcome.
>
> Regards;
>
> Thomas
> .
>

-- 
Attention: This message and all attachments are private and may contain information that is confidential and privileged. If you received this message in error, please notify the sender by reply email and delete the message immediately.

More information about the stunnel-users mailing list