2

I'm having trouble enabling TLS 1.2 connections on a Windows (environment has both Windows 2008 and Windows 10 environments) platform. Currently, my private keys are managed by the Windows certificate store, using the CAPI engineId within stunnel (v 5.41), which uses OpenSSL 1.0.2k-fips. Because of this, stunnel can only negotiate a TLS 1.1 connection (SSLv2 and SSLv3/TLS1 are disabled for obvious reasons).

I’ve tried compiling OpenSSL 1.1.0f and stunnel 5.41, but no luck either cross compiling under CentOS, nor under Windows using either MSYS2/MINGW32 or Cygwin.

I am specifically looking for a way to manage the pfx/p12 (private key) in stunnel without resorting to the Windows certificate store. I found an example on how to configure stunnel to use capi - which worked beautifully, but because openssl 1.0.2 doesn't support ciphers that are used in TLS 1.2, only TLS 1.1 works. I need TLS 1.2.

https://www.stunnel.org/pipermail/stunnel-users/2017-February/005720.html documents why I can't use TLS 1.2 with OpenSSL 1.0.2.

OpenSSL 1.0.2 is what is built into stunnel 5.41. Recompiling didn't work. I'm specifically looking for how to configure stunnel to point at a pkcs12 key.

jww
  • 97,681
  • 90
  • 411
  • 885
Liz Turi
  • 51
  • 1
  • 1
  • 9
  • go through : https://stackoverflow.com/help/how-to-ask – Gahan Jun 13 '17 at 12:39
  • 1
    "but because openssl 1.0 doesn't support ciphers that are used in TLS 1.2, only TLS 1.1 works". This is not correct - openssl 1.0.1 supports TLS1.2. – Matt Caswell Jun 13 '17 at 12:55
  • You should ask a specific question for a particular problem. Since Stack Overflow hides the Close reason from you: *"Questions asking us to recommend or find a book, tool, software library, tutorial or other off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it."* – jww Jun 13 '17 at 13:19
  • Matt - OpenSSL 1.0.2 does support TLS1.2, but there is a conflict with the capi engine in 1.0.2 that is required for accessing the key/cert in the Windows cert manager that prevents me from using TLS 1.2: https://www.stunnel.org/pipermail/stunnel-users/2017-February/005720.html – Liz Turi Jun 13 '17 at 13:32
  • jww - thank you - restructured the question – Liz Turi Jun 13 '17 at 13:37
  • 1
    The changelog on the stunnel website says support for P12 was added in 5.33 2016.06.23 and the manpage says to just put it in `cert=`; before that (and after) given P12 `openssl pkcs12` converts to PEM which any openssl (and stunnel) back to the oughties can handle. – dave_thompson_085 Jun 13 '17 at 13:57
  • Dave, can you set your response as an answer? Thanks! – Liz Turi Jun 13 '17 at 15:08
  • @Liz - Please place answers in Answer blocks. Please *don't* add them to the question. You can accept your own answer. That's how Stack Overflow works. Also see [Accept Your Own Answers](https://stackoverflow.blog/2009/01/06/accept-your-own-answers/). – jww Jun 13 '17 at 19:08

1 Answers1

3

Solution based on dave_thompson_085's comment:

The solution was to simply put in the location of the p12 file for the cert variable, do not include engineId, do not include key. Don't worry about the password, stunnel will prompt for password.

I kept thinking that I needed to set an engine - as with pkcs11 or capi.

Ie., I was over thinking and completely missed the obvious.

Example of snippet that worked for me below. (Everything above was left as default, except sslOptions, which was set to sslOptions=TLS1.2

[https-test-services]
client=yes
accept=127.0.0.1:7000
connect=hostname.of.remote.server:8443
verifyChain = yes
CAfile = ca-certs.pem
cert = C:\Location\To\certandkey.p12
checkHost = hostname.of.remote.server
OCSPaia=yes
Liz Turi
  • 51
  • 1
  • 1
  • 9