Stunnel Server On CentOS 7 - TLS options: 0x2100000 (+0x0, -0x0) Error

Question

I am using CentOS Linux release v7.9.2009 (Core) with latest update.
First of all i installed latest version of OpenSSL there.
Here is the commands for that installation :

cd ~
wget https://www.openssl.org/source/openssl-3.0.7.tar.gz
tar -zxvf openssl-3.0.7.tar.gz
yum install -y perl-IPC-Cmd
cd openssl-3.0.7
./Configure
make
make install
ln -s /usr/local/lib64/libssl.so.3 /usr/lib64/libssl.so.3
ln -s /usr/local/lib64/libcrypto.so.3 /usr/lib64/libcrypto.so.3
sudo ldconfig
reboot
openssl version -d
OPENSSLDIR: "/usr/local/ssl"

Now i installed latest version of stunnel with these commands :

wget ftp://ftp.stunnel.org/stunnel/archive/5.x/stunnel-5.67.tar.gz
sudo yum -y install tar
sudo yum -y update tar
tar -xvzf stunnel-5.67.tar.gz
cd stunnel-5.67
rm -rf stunnel-5.67 > This Is For Learn
groupadd -g 51 stunnel &&
useradd -c "stunnel Daemon" -d /var/lib/stunnel \
        -g stunnel -s /bin/false -u 51 stunnel

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --disable-systemd --with-ssl=/usr/local

make

make docdir=/usr/share/doc/stunnel-5.67 install

With these commands i changed ssl version of stunnel to the current OpenSSL version, means v3.0.7.

I created a simple cert with make cert command.(stunnel.pem)

Here is stunnel configuration file :

[Server]
client = no
accept  = 11523
connect = 127.0.0.1:11869
cert = stunnel.pem

Here is fips situation :

sysctl crypto.fips_enabled

--Result--

crypto.fips_enabled = 0

Now after running stunnel i got this error :

[ ] Initializing inetd mode configuration
[ ] Clients allowed=500
[.] stunnel 5.67 on x86_64-pc-linux-gnu platform
[.] Compiled/running with OpenSSL 3.0.7 1 Nov 2022
[.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI
[ ] errno: (*__errno_location ())
[ ] Initializing inetd mode configuration
[.] Reading configuration from file /etc/stunnel/stunnel.conf
[.] UTF-8 byte order mark not detected
[.] FIPS mode disabled
[ ] Compression disabled
[ ] No PRNG seeding was required
[ ] Initializing service [Server]
[ ] stunnel default security level set: 2
[ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
[ ] TLSv1.3 ciphersuites: TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
[ ] TLS options: 0x2100000 (+0x0, -0x0)
[ ] Session resumption enabled
[ ] Loading certificate from file: stunnel.pem
[!] error queue: ssl/ssl_rsa.c:448: error:0A080002:SSL routines::system lib
[!] error queue: crypto/bio/bss_file.c:300: error:10080002:BIO routines::system lib
[!] SSL_CTX_use_certificate_chain_file: crypto/bio/bss_file.c:297: error:80000002:system library::No such file or directory
[!] Service [certificate-based Server]: Failed to initialize TLS context
[!] Configuration failed
[ ] Deallocating temporary section defaults
[ ] Deallocating section [Server]

How can i fix that error?

Answer 1

Stunnel Server On CentOS 7 - TLS options: 0x2100000 (+0x0, -0x0) Error

This is not an error but just the debug information which TLS options are set

How can i fix that error?

The real error you have is this:

[ ] Loading certificate from file: stunnel.pem
[!] error queue: ssl/ssl_rsa.c:448: error:0A080002:SSL routines::system lib
[!] error queue: crypto/bio/bss_file.c:300: error:10080002:BIO routines::system lib
[!] SSL_CTX_use_certificate_chain_file: crypto/bio/bss_file.c:297: error:80000002:system library::No such file or directory

This means the path to the certificate points to a certificate which does not exist or is not accessible by stunnel.

 cert = stunnel.pem

You give only a relative path here. Use an absolute path (i.e. something like /etc/stunnel/stunnel.pem) so that it does not depend on the current working directory for stunnel. Also make sure that permissions allow access.

Answer 2

Make sure config or variables should pointing to correct location and must have correct path with correct file name.

cert = <yourpem>.pem
key = <yourkey>.key

Any OPENSSL environment variables should also point to correct file and location.