23213 2003-06-21 01:05 0000 RSA blinding patch for stunnel breaks client mode 2003-10-28 06:55:39 0000 1 1 1 Unclassified Gentoo Linux Applications unspecified All Linux RESOLVED FIXED http://forums.gentoo.org/viewtopic.php?t=61894 P2 major --- 1 yem@y3m.net aliz@gentoo.org yem@y3m.net 2003-06-21 01:05:06 0000 The blinding patch on stunnel tries to get the private key in order to determine whether it is an RSA key and therefore RSA blinding is required. The problem is that when stunnel is run in client mode, the key/cert is optional. Stunnel dies because it can't access the key. The workaround is to create a client key/cert PEM file and tell stunnel to use that file (with the -p option or in stunnel.conf) whenever you use stunnel in client mode. I've attached a diff against the gentoo 3.22 blinding patch (/usr/portage/net-misc/stunnel/files/stunnel-3.22-blinding.patch) With this patch, blinding won't be turned on if a client key/cert is not being used. Is this acceptable? yem@y3m.net 2003-06-21 01:06:23 0000 Created an attachment (id=13629) Allow stunnel to be used in client mode without a client cert aliz@gentoo.org 2003-06-28 15:18:39 0000 patch added to 3.24, please test and let me know how it works so I can unmask it. yem@y3m.net 2003-06-28 15:47:04 0000 Yes, 3.24 with the patch works as expected. I was just hoping some SSL expert could confirm that blinding is ONLY required for server mode or in client mode (with an RSA key/cert for auth). Thanks. aliz@gentoo.org 2003-07-02 13:28:58 0000 Zach, I saw that Brian CCed you in his last mail. I've commited 3.24-r1 without your blinding patch, could you try that one too? yem@y3m.net 2003-07-03 01:20:31 0000 Yes, stunnel-3.24-r1 works correctly. The blinding patch is no longer required. stunnel -f -c -D info -P none -r www.microsoft.com:443 2003.07.03 20:19:36 LOG5[17177:16384]: Using 'www.microsoft.com.443' as tcpwrapper service name 2003.07.03 20:19:36 LOG6[17177:16384]: PRNG seeded successfully 2003.07.03 20:19:36 LOG5[17177:16384]: stunnel 3.24 on i686-pc-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.6i Feb 19 2003 2003.07.03 20:19:37 LOG6[17177:16384]: Negotiated ciphers: RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 HEAD / HTTP/1.0 Host: www.microsoft.com HTTP/1.1 400 Bad Request Content-Length: 20 Content-Type: text/html Date: Thu, 03 Jul 2003 08:20:07 GMT Connection: close 2003.07.03 20:19:49 LOG5[17177:16384]: Connection closed: 41 bytes sent to SSL, 129 bytes sent to socket Thanks to Brian for clarifying. aliz@gentoo.org 2003-10-28 06:55:39 0000 Closing 13629 2003-06-21 01:06 0000 Allow stunnel to be used in client mode without a client cert stunnel-3.22-blinding.patch.diff text/plain LS0tIHN0dW5uZWwtMy4yMi1ibGluZGluZy5wYXRjaAkyMDAzLTA2LTIxIDIwOjAxOjEwLjAwMDAw MDAwMCArMTIwMAorKysgc3R1bm5lbC0zLjIyLWJsaW5kaW5nLnBhdGNoLQkyMDAzLTA2LTIxIDIw OjAxOjUxLjAwMDAwMDAwMCArMTIwMApAQCAtNDQsNyArNDQsNyBAQAogKyAgICAgICB9IGVsc2Ug ewogKyAgICAgICAgICAgbG9nKExPR19ERUJVRywgIlByaXZhdGUga2V5IGlzIG5vdCBSU0EsIG5v IGJsaW5kaW5nIG5lZWRlZCIpOwogKyAgICAgICB9Ci0rICAgICB9IGVsc2UgeworKyAgICAgfSBl bHNlIGlmIChzc2wtPnR5cGUgPT0gU1NMX1NUX0FDQ0VQVCkgewogKyAgICAgICBsb2coTE9HX0VS UiwgIlVuYWJsZSB0byBnZXQgYWNjZXNzIHRvIHRoZSBTU0wgcHJpdmF0ZSBrZXkuIik7CiArICAg ICAgIHNzbGVycm9yKCJTU0xfZ2V0X3ByaXZhdGVrZXkiKTsKICsgICAgICAgZXhpdCgxKTsK