[stunnel-users] stunnel 5.50 released

Jakob Hirsch jh at plonk.de
Wed Dec 5 12:10:19 CET 2018


Hi!

(sorry, I previously sent this off-list by mistake...)

On 2018-12-04 11:14, Małgorzata Olszówka wrote:
>> Because I am using PSK and now the connection fails unless I disable TLS 1.3:
>> LOG3[1]: SSL_accept: 141F9044: error:141F9044:SSL routines:tls_parse_ctos_psk:internal error

> Hello,
> I was able to replicate this error with OpenSSL-1.1.1 without stunnel.
> It looks like the problem is caused by a long key.
> I recommend upgrading the openssl version or shortening the key.

Using openssl s_server/s_client, I found that the key length limit is
128 (i.e. 64 bytes or 512 bits).
I tested this on an arch linux system (which already has openssl
1.1.1a), where there was no issue with longer keys, so this is probably
a bug in 1.1.1.

AFAICS, stunnel just gives a plain copy of the key from the PSK file, so
if I use a psk key with 64 chars or less, it should work. I tried with a
key length of 20 chars (the minimum accepted by stunnel), but now I get
this error:

LOG3[13]: SSL_accept: 14094438: error:14094438:SSL
routines:ssl3_read_bytes:tlsv1 alert internal error

Unfortunately, there is no openssl 1.1.1a rpm for Fedora yet (and
building it myself is not something I would do light-heartedly), so I
will stick with TLS 1.2 for now.

Thanks and regards,
Jakob



More information about the stunnel-users mailing list