I'm specifically looking for how to configure stunnel to point at a pkcs12 key. OpenSSL 1.0.2 is what is built into stunnel 5.41. documents why I can't use TLS 1.2 with OpenSSL 1.0.2. I found an example on how to configure stunnel to use capi - which worked beautifully, but because openssl 1.0.2 doesn't support ciphers that are used in TLS 1.2, only TLS 1.1 works. I am specifically looking for a way to manage the pfx/p12 (private key) in stunnel without resorting to the Windows certificate store. I’ve tried compiling OpenSSL 1.1.0f and stunnel 5.41, but no luck either cross compiling under CentOS, nor under Windows using either MSYS2/MINGW32 or Cygwin. Because of this, stunnel can only negotiate a TLS 1.1 connection (SSLv2 and SSLv3/TLS1 are disabled for obvious reasons). Currently, my private keys are managed by the Windows certificate store, using the CAPI engineId within stunnel (v 5.41), which uses OpenSSL 1.0.2k-fips. Thank you to everyone and their suggestions.I'm having trouble enabling TLS 1.2 connections on a Windows (environment has both Windows 2008 and Windows 10 environments) platform. It does fix the issue in my SSLServer that **This fix does not work for the example code that I posted above so I can probably add more code and handle the exception more This still spews an error server side but my server does not crashĪnymore. I have modified it by adding an extra rescue clause: May 3 09:29:57 kerzanoserv stunnel: LOG30: SSLconnect: 1416F086: error:1416F086:SSL routines:tlsprocessservercertificate:certificate verify failed. May 3 08:53:54 kerzanoserv stunnel: LOG7ui: PRNG seeded successfully. Sock = OpenSSL::SSL::SSLSocket.new(sock, = true May 3 08:53:54 kerzanoserv stunnel: LOG7ui: Wrote 1024 new random bytes to /home/eoin/.rnd. Previously the code in the “accept” method I started digging deeper and I ended up fixing it by modifying theĪctual openssl/ssl.rb file. Opinion an SSLServer in ruby should not crash by default when an I refused to believe that this should be “normal” behavior. You were absolutely correct in that I was getting an SSL exception, but Thank you again to anybody that can help. This was a known issue and has been fixed in 1.9 I would also love to “wrong”…maybe an error could be handled more gracefully though?) or if *If somebody is aware of a problem in the actual library itself(I lookedĪt class but was unable to see anything that I would call Right direction it would be most appreciated. Unable to find anything) if somebody could possibly help point me in the Have googled around for anybody having this same problem but have been Since I am making the assumption that my code is still the problem (I (Ubuntu) and on my workstation at home(Slackware 12.2). I have been able to duplicate this error on both my computer at work usr/lib/ruby/1.8/openssl/ssl.rb:171:in accept': SSL_accept SYSCALL returned=5 errno=0 state=SSLv2/v3 read client hello A (OpenSSL::SSL::SSLError) from /usr/lib/ruby/1.8/openssl/ssl.rb:171:inaccept’ Telnet makes the connection, but upon exit the server crashes with the This code works like I would expect when testing a connection with: SSLServer example that I could find…the result is the same with thisĬtx.cert = X509::Certificate.new(File.read(’/home/riot82/blah.crt’))Ĭtx.key = PKey::RSA.new(File.read(’/home/riot82/blah.key’)) Not correct the issue, I ended up with the most basic SSLServer possibleĬurrent test code(this code is not mine, but was the most basic Stripping it down to the bare minimum required. openssl dhparam -out /home/httpd/conf/dhparams.pem 2048 Then add the following line to your Apache SSL configuration: SSLOpenSSLConfCmd DHParameters '/home/httpd/conf/dhparams.pem' Ensure that you have appropriate permissions on your dhparams.pem file, and note that V5 does not support this configuration. I immediately assumed that there was a problem in my code so I began Should (or as I think it should), but when I use telnet (non-SSL My basic server application accepts and handles SSL connections as it I have been working with the SSLServer class in Ruby and have run acrossĪ problem that I cannot get my head around:
0 Comments
Leave a Reply. |