[stunnel-users] Configure Error
Josealf.rm
josealf at rocketmail.com
Fri Apr 14 16:56:47 CEST 2017
I backported the redhat/centos 6.x OpenSSL rpm package to 5.x. It is running fine on centos 5 32bits. I can provide you the source rpm and you can recompile on your 64bit Os.
Saludos
Jose Alfredo Diaz
Cerrejón
> On Apr 13, 2017, at 5:08 PM, Rob Lockhart <rlockhar at gmail.com> wrote:
>
> One more good link:
> https://wiki.openssl.org/index.php/Compilation_and_Installation
> Be sure to read the parts about the --prefix and --openssldir compiler directives. The FIPS mode puts restrictions on some keys (prohibiting weak ones), but IIRC you can do the same with proper config files too.
>
> Good luck!
>
>> On Thu, Apr 13, 2017 at 5:32 PM, Kenway Ng <kenwayng at gmail.com> wrote:
>> Thanks Rob. Appreciate the information.
>>
>>> On Thu, Apr 13, 2017, 4:28 PM Rob Lockhart <rlockhar at gmail.com> wrote:
>>> According to this:
>>> https://access.redhat.com/support/policy/updates/errata
>>>
>>> RHEL5 is out of support as of 3/31/2017 for patches, except for security patching. No new features will be added to RHEL5, to include TLS v1.1 support (requires OpenSSL 1.0.x).
>>>
>>> First compile OpenSSL 1.0.2 (in a different path), then compile Stunnel (5.41) using the /usr/local for the prefix (per previous links), and perhaps some other switches too (based on info from those URLs).
>>>
>>> From the links I found, you can have multiple versions of OpenSSL, but you have to link to one when compiling Stunnel. The one you choose when compiling Stunnel will want to be the newer one you compiled. IMHO, I would migrate your RHEL5 to RHEL6 or RHEL7, but that may be considerably more difficult than just compiling OpenSSL and Stunnel.
>>>
>>> -Rob
>>>
>>>> On Thu, Apr 13, 2017 at 4:15 PM, Kenway Ng <kenwayng at gmail.com> wrote:
>>>> Please let me know if I am completely off. The version of openssl we are running is 0.9.8e-fips-rhel5 01 Jul 2008. So if we want version TLS1.1+ then we need to recompile the STUNNEL src with an updated version of openssl we are running on our server. Something higher than 0.9.8. Is that right ? Is it possible to find a version that was already compiled with a higher version of openssl ?
>>>>
>>>>> On Wed, Apr 12, 2017 at 5:49 PM, Rob Lockhart <rlockhar at gmail.com> wrote:
>>>>>
>>>>>
>>>>>> On Wed, Apr 12, 2017 at 5:22 PM, Kenway Ng <kenwayng at gmail.com> wrote:
>>>>>>
>>>>>> I am trying to upgrade our version of stunnel. Our SME left and now I am trying to upgrade stunnel to fix a vulnerability . I am being told to use TLS1.1 or higher
>>>>>>
>>>>>> $ ./stunnel -version
>>>>>>
>>>>>> stunnel 4.15 on x86_64-redhat-linux-gnu with OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
>>>>>>
>>>>>> Threading:PTHREAD SSL:ENGINE Sockets:POLL,IPv6 Auth:LIBWRAP
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> I don't have RHEL5 64-bit but these links may help:
>>>>>
>>>>> https://miteshshah.github.io/linux/centos/how-to-enable-openssl-1-0-2-a-tlsv1-1-and-tlsv1-2-on-centos-5-and-rhel5/
>>>>>
>>>>> http://serverfault.com/questions/296765/cannot-find-ssl-libraries-when-configuring-stunnel
>>>>>
>>>>> These links involve re-compiling OpenSSL and Stunnel, in that order. I would opt for OpenSSL 1.0.2k (latest as of 20170412) since 1.0.1 and below are all EOL as of 12/31/2016. OpenSSL 0.9.8 supports only TLS v1.0, whereas OpenSSL 1.0.1 supports TLS v1.0, v1.1 and v1.2.
>>>>>
>>>>> -Rob
>>>>
>>>
>>> _______________________________________________
>>> stunnel-users mailing list
>>> stunnel-users at stunnel.org
>>> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
>
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at stunnel.org
> https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20170414/ca8c88e1/attachment.html>
More information about the stunnel-users
mailing list