Bug#338340: stunnel doesn't support DSA server certificates.

Wed, 09 Nov 2005 09:33:11 -0800 

Package: stunnel
Version: 2:3.26-3
Severity: normal
Tags: patch


Attempt to use DSA server certificate and private key with stunnel
produces following error:

[EMAIL PROTECTED] /usr/sbin/stunnel -d 4433 -p dsaserver.pem -D 7 -f -P none
-l /bin/cat -- cat
2005.11.09 20:07:53 LOG5[23269:16384]: Using 'cat' as tcpwrapper service name
2005.11.09 20:07:53 LOG7[23269:16384]: Snagged 64 random bytes from 
/home/vitus/.rnd
2005.11.09 20:07:53 LOG7[23269:16384]: Wrote 1024 new random bytes to 
/home/vitus/.rnd
2005.11.09 20:07:53 LOG7[23269:16384]: RAND_status claims sufficient entropy 
for the PRNG
2005.11.09 20:07:53 LOG6[23269:16384]: PRNG seeded successfully
2005.11.09 20:07:53 LOG7[23269:16384]: Certificate: dsaserver.pem
2005.11.09 20:07:53 LOG3[23269:16384]: SSL_CTX_use_RSAPrivateKey_file:
error:0607907F:digital envelope routines:EVP_PKEY_get1_RSA:expecting an
rsa key

Problem is that upstream author deliberately uses RSA specific routine
for loading private key if rsa support is compiled in, while generic
routine SSL_CTX_use_PrivateKey_file used in case if stunnel compiled
witout DSA support, handle both DSA and RSA keys (and any other types of
keys, which can be supported by newer version of OpenSSL).

To resolve this problem following patch can be applied to stunnel
source.

--- ssl.c.orig  2005-11-09 20:24:09.000000000 +0300
+++ ssl.c       2005-11-09 19:54:32.000000000 +0300
@@ -101,19 +103,19 @@
             exit(1);
         }
         log(LOG_DEBUG, "Certificate: %s", options.pem);
-#ifdef NO_RSA
+/* #ifdef NO_RSA*/
         if(!SSL_CTX_use_PrivateKey_file(ctx, options.pem,
                 SSL_FILETYPE_PEM)) {
             sslerror("SSL_CTX_use_PrivateKey_file");
             exit(1);
         }
-#else /* NO_RSA */
-        if(!SSL_CTX_use_RSAPrivateKey_file(ctx, options.pem,
+/* #else *//* NO_RSA */
+/*        if(!SSL_CTX_use_RSAPrivateKey_file(ctx, options.pem,
                 SSL_FILETYPE_PEM)) {
             sslerror("SSL_CTX_use_RSAPrivateKey_file");
             exit(1);
-        } 
-#endif /* NO_RSA */
+        } */
+/* #endif *//* NO_RSA */
         if(!SSL_CTX_check_private_key(ctx)) {
             sslerror("Private key does not match the certificate");
             exit(1);

Note that configure option --enable-dh should also be used to provide work with 
DSA, and set of Diffie-Hellman parameters generated and put into stunnel.pem 
along with server key and certificate.


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.27-p3
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)

Versions of packages stunnel depends on:
ii  libc6                       2.3.2.ds1-22 GNU C Library: Shared libraries an
ii  libssl0.9.7                 0.9.7e-3     SSL shared libraries
ii  libwrap0                    7.6.dbs-8    Wietse Venema's TCP wrappers libra
ii  netbase                     4.21         Basic TCP/IP networking system
ii  openssl                     0.9.8a-3     Secure Socket Layer (SSL) binary a

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to