[stunnel-users] Configure Error
Rob Lockhart
rlockhar at gmail.com
Fri Apr 14 00:08:10 CEST 2017
One more good link:
https://wiki.openssl.org/index.php/Compilation_and_Installation
Be sure to read the parts about the --prefix and --openssldir compiler
directives. The FIPS mode puts restrictions on some keys (prohibiting weak
ones), but IIRC you can do the same with proper config files too.
Good luck!
On Thu, Apr 13, 2017 at 5:32 PM, Kenway Ng <kenwayng at gmail.com> wrote:
> Thanks Rob. Appreciate the information.
>
> On Thu, Apr 13, 2017, 4:28 PM Rob Lockhart <rlockhar at gmail.com> wrote:
>
>> According to this:
>> https://access.redhat.com/support/policy/updates/errata
>>
>> RHEL5 is out of support as of 3/31/2017 for patches, except for security
>> patching. No new features will be added to RHEL5, to include TLS v1.1
>> support (requires OpenSSL 1.0.x).
>>
>> First compile OpenSSL 1.0.2 (in a different path), then compile Stunnel
>> (5.41) using the /usr/local for the prefix (per previous links), and
>> perhaps some other switches too (based on info from those URLs).
>>
>> From the links I found, you can have multiple versions of OpenSSL, but
>> you have to link to one when compiling Stunnel. The one you choose when
>> compiling Stunnel will want to be the newer one you compiled. IMHO, I would
>> migrate your RHEL5 to RHEL6 or RHEL7, but that may be considerably more
>> difficult than just compiling OpenSSL and Stunnel.
>>
>> -Rob
>>
>> On Thu, Apr 13, 2017 at 4:15 PM, Kenway Ng <kenwayng at gmail.com> wrote:
>>
>>> Please let me know if I am completely off. The version of openssl we
>>> are running is 0.9.8e-fips-rhel5 01 Jul 2008. So if we want version
>>> TLS1.1+ then we need to recompile the STUNNEL src with an updated version
>>> of openssl we are running on our server. Something higher than 0.9.8. Is
>>> that right ? Is it possible to find a version that was already compiled
>>> with a higher version of openssl ?
>>>
>>> On Wed, Apr 12, 2017 at 5:49 PM, Rob Lockhart <rlockhar at gmail.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Wed, Apr 12, 2017 at 5:22 PM, Kenway Ng <kenwayng at gmail.com> wrote:
>>>>
>>>>>
>>>>> I am trying to upgrade our version of stunnel. Our SME left and now I
>>>>> am trying to upgrade stunnel to fix a vulnerability . I am being told to
>>>>> use TLS1.1 or higher
>>>>>
>>>>> $ ./stunnel -version
>>>>>
>>>>> stunnel 4.15 on x86_64-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5
>>>>> 01 Jul 2008
>>>>>
>>>>> Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
>>>>>
>>>>>
>>>>>
>>>>
>>>> I don't have RHEL5 64-bit but these links may help:
>>>>
>>>> https://miteshshah.github.io/linux/centos/how-to-enable-
>>>> openssl-1-0-2-a-tlsv1-1-and-tlsv1-2-on-centos-5-and-rhel5/
>>>>
>>>> http://serverfault.com/questions/296765/cannot-find-ssl-libraries-when-
>>>> configuring-stunnel
>>>>
>>>> These links involve re-compiling OpenSSL and Stunnel, in that order. I
>>>> would opt for OpenSSL 1.0.2k (latest as of 20170412) since 1.0.1 and below
>>>> are all EOL as of 12/31/2016. OpenSSL 0.9.8 supports only TLS v1.0,
>>>> whereas OpenSSL 1.0.1 supports TLS v1.0, v1.1 and v1.2.
>>>>
>>>> -Rob
>>>>
>>>
>>>
>> _______________________________________________
>> stunnel-users mailing list
>> stunnel-users at stunnel.org
>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20170413/e697238a/attachment.html>
More information about the stunnel-users
mailing list