Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 23213
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Daniel Ahlberg (RETIRED) <aliz@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Zach Bagnall <yem@y3m.net>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
stunnel-3.22-blinding.patch.diff Allow stunnel to be used in client mode without a client cert patch Zach Bagnall 2003-06-21 01:06 0000 453 bytes Details | Diff
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 23213 depends on: Show dependency tree
Bug 23213 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2003-06-21 01:05 0000 
The blinding patch on stunnel tries to get the private key in order to
determine whether it is an RSA key and therefore RSA blinding is required.

The problem is that when stunnel is run in client mode, the key/cert is
optional. Stunnel dies because it can't access the key.

The workaround is to create a client key/cert PEM file and tell stunnel to
use that file (with the -p option or in stunnel.conf) whenever you use
stunnel in client mode.

I've attached a diff against the gentoo 3.22 blinding patch
(/usr/portage/net-misc/stunnel/files/stunnel-3.22-blinding.patch)

With this patch, blinding won't be turned on if a client key/cert
is not being used. Is this acceptable?

------- Comment #1 From Zach Bagnall 2003-06-21 01:06:23 0000 ------- 
Created an attachment (id=13629) [details]
Allow stunnel to be used in client mode without a client cert

------- Comment #2 From Daniel Ahlberg (RETIRED) 2003-06-28 15:18:39 0000 ------- 
patch added to 3.24, please test and let me know how it works so I can unmask
it.

------- Comment #3 From Zach Bagnall 2003-06-28 15:47:04 0000 ------- 
Yes, 3.24 with the patch works as expected.

I was just hoping some SSL expert could confirm that blinding is ONLY required for server mode or in client mode (with an RSA key/cert for auth).

Thanks.

------- Comment #4 From Daniel Ahlberg (RETIRED) 2003-07-02 13:28:58 0000 ------- 
Zach, I saw that Brian CCed you in his last mail. I've commited 3.24-r1 without
your 
blinding patch, could you try that one too?

------- Comment #5 From Zach Bagnall 2003-07-03 01:20:31 0000 ------- 
Yes, stunnel-3.24-r1 works correctly. The blinding patch is no longer required.

stunnel -f -c -D info -P none -r www.microsoft.com:443
2003.07.03 20:19:36 LOG5[17177:16384]: Using 'www.microsoft.com.443' as tcpwrapper service name
2003.07.03 20:19:36 LOG6[17177:16384]: PRNG seeded successfully
2003.07.03 20:19:36 LOG5[17177:16384]: stunnel 3.24 on i686-pc-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.6i Feb 19 2003
2003.07.03 20:19:37 LOG6[17177:16384]: Negotiated ciphers: RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
HEAD / HTTP/1.0
Host: www.microsoft.com
 
HTTP/1.1 400 Bad Request
Content-Length: 20
Content-Type: text/html
Date: Thu, 03 Jul 2003 08:20:07 GMT
Connection: close
 
2003.07.03 20:19:49 LOG5[17177:16384]: Connection closed: 41 bytes sent to SSL, 129 bytes sent to socket


Thanks to Brian for clarifying.

------- Comment #6 From Daniel Ahlberg (RETIRED) 2003-10-28 06:55:39 0000 ------- 
Closing
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug