The blinding patch on stunnel tries to get the private key in order to determine whether it is an RSA key and therefore RSA blinding is required. The problem is that when stunnel is run in client mode, the key/cert is optional. Stunnel dies because it can't access the key. The workaround is to create a client key/cert PEM file and tell stunnel to use that file (with the -p option or in stunnel.conf) whenever you use stunnel in client mode. I've attached a diff against the gentoo 3.22 blinding patch (/usr/portage/net-misc/stunnel/files/stunnel-3.22-blinding.patch) With this patch, blinding won't be turned on if a client key/cert is not being used. Is this acceptable?
Created attachment 13629 [details, diff] Allow stunnel to be used in client mode without a client cert
patch added to 3.24, please test and let me know how it works so I can unmask it.
Yes, 3.24 with the patch works as expected. I was just hoping some SSL expert could confirm that blinding is ONLY required for server mode or in client mode (with an RSA key/cert for auth). Thanks.
Zach, I saw that Brian CCed you in his last mail. I've commited 3.24-r1 without your blinding patch, could you try that one too?
Yes, stunnel-3.24-r1 works correctly. The blinding patch is no longer required. stunnel -f -c -D info -P none -r www.microsoft.com:443 2003.07.03 20:19:36 LOG5[17177:16384]: Using 'www.microsoft.com.443' as tcpwrapper service name 2003.07.03 20:19:36 LOG6[17177:16384]: PRNG seeded successfully 2003.07.03 20:19:36 LOG5[17177:16384]: stunnel 3.24 on i686-pc-linux-gnu PTHREAD+LIBWRAP with OpenSSL 0.9.6i Feb 19 2003 2003.07.03 20:19:37 LOG6[17177:16384]: Negotiated ciphers: RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 HEAD / HTTP/1.0 Host: www.microsoft.com HTTP/1.1 400 Bad Request Content-Length: 20 Content-Type: text/html Date: Thu, 03 Jul 2003 08:20:07 GMT Connection: close 2003.07.03 20:19:49 LOG5[17177:16384]: Connection closed: 41 bytes sent to SSL, 129 bytes sent to socket Thanks to Brian for clarifying.
Closing