Last active
March 3, 2018 19:13
-
-
Save jaykishanmutkawoa/8b439876a808ec0fe5061b61d329d2ea to your computer and use it in GitHub Desktop.
Allowing user to specify TLSv1.3 in Stunnel
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 1.The stunnel beta version was compiled with openssl-dev 1.1 | |
| [root@localhost stunnel-5.43]# /usr/local/bin/stunnel version | |
| [ ] Clients allowed=500 | |
| [.] stunnel 5.43 on x86_64-pc-linux-gnu platform | |
| [.] Compiled/running with OpenSSL 1.1.1-dev xx XXX xxxx | |
| [.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI | |
| [ ] errno: (*__errno_location ()) | |
| 2.My stunnel configuration as follows: | |
| [root@localhost ~]# cat /usr/local/etc/stunnel/stunnel.conf | |
| chroot = /var/run/stunnel | |
| setuid = stunnel | |
| setgid = stunnel | |
| pid = /stunnel.pid | |
| debug = 7 | |
| output = /stunnel.log | |
| sslVersion = TLSv1.3 | |
| [ssh] | |
| key = /etc/stunnel/privatekey.pem | |
| cert = /etc/stunnel/certificate.pem | |
| accept = 3000 | |
| connect = 127.0.0.1:22 | |
| 3. The git diff patch as follows: | |
| [root@localhost stunnel-5.43]# git diff src/options.c | |
| diff --git a/src/options.c b/src/options.c | |
| index 94a2d8c..eee6be0 100644 | |
| --- a/src/options.c | |
| +++ b/src/options.c | |
| @@ -150,6 +150,9 @@ static const SSL_OPTION ssl_opts[] = { | |
| #ifdef SSL_OP_NO_TLSv1_2 | |
| {"NO_TLSv1.2", SSL_OP_NO_TLSv1_2}, | |
| #endif | |
| +#ifdef SSL_OP_NO_TLSv1_3 | |
| + {"NO_TLSv1.3", SSL_OP_NO_TLSv1_3}, | |
| +#endif | |
| {"PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1}, | |
| {"PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2}, | |
| {"NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG}, | |
| @@ -2673,11 +2676,16 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section, | |
| #endif /* !defined(OPENSSL_NO_TLS1_2) */ | |
| } else if(!strcasecmp(arg, "TLSv1.3")) { | |
| #ifndef OPENSSL_NO_TLS1_3 | |
| - section->client_method=(SSL_METHOD *)TLSv1_3_client_method(): | |
| - section->server_method=(SSL_METHOD *)TLSv1_3 server_method(); | |
| + section->client_method=(SSL_METHOD *)TLS_client_method(); | |
| + section->server_method=(SSL_METHOD *)TLS_server_method(); | |
| + section->ssl_options_set|= SSL_OP_NO_SSLv2; | |
| + section->ssl_options_set|= SSL_OP_NO_SSLv3; | |
| + section->ssl_options_set|= SSL_OP_NO_TLSv1; | |
| + section->ssl_options_set|= SSL_OP_NO_TLSv1_1; | |
| + section->ssl_options_set|= SSL_OP_NO_TLSv1_2; | |
| #else /* defined(OPENSSL_NO_TLS1_3) */ | |
| return "TLSv1.3 not supported"; | |
| -#endif | |
| +#endif /* !defined(OPENSSL_NO_TLS1_3) */ | |
| #endif /* OPENSSL_API_COMPAT<0x10100000L */ | |
| } else | |
| return "Incorrect version of TLS protocol"; | |
| 4.The stunnel configuration was tested with tls1.3 as follows: | |
| [root@localhost stunnel-5.43]# openssl s_client -connect 127.0.0.1:3000 | |
| CONNECTED(00000003) | |
| depth=0 C = mu, ST = pereybere, L = pamplemousse, O = hackersMU, OU = Hackers.mu | |
| verify error:num=18:self signed certificate | |
| verify return:1 | |
| depth=0 C = mu, ST = pereybere, L = pamplemousse, O = hackersMU, OU = Hackers.mu | |
| verify return:1 | |
| --- | |
| Certificate chain | |
| 0 s:/C=mu/ST=pereybere/L=pamplemousse/O=hackersMU/OU=Hackers.mu | |
| i:/C=mu/ST=pereybere/L=pamplemousse/O=hackersMU/OU=Hackers.mu | |
| --- | |
| Server certificate | |
| -----BEGIN CERTIFICATE----- | |
| MIIDmDCCAoCgAwIBAgIJAOJVNbZE/AZVMA0GCSqGSIb3DQEBCwUAMGExCzAJBgNV | |
| BAYTAm11MRIwEAYDVQQIDAlwZXJleWJlcmUxFTATBgNVBAcMDHBhbXBsZW1vdXNz | |
| ZTESMBAGA1UECgwJaGFja2Vyc01VMRMwEQYDVQQLDApIYWNrZXJzLm11MB4XDTE3 | |
| MTExMDIyNTY0OFoXDTE4MTExMDIyNTY0OFowYTELMAkGA1UEBhMCbXUxEjAQBgNV | |
| BAgMCXBlcmV5YmVyZTEVMBMGA1UEBwwMcGFtcGxlbW91c3NlMRIwEAYDVQQKDAlo | |
| YWNrZXJzTVUxEzARBgNVBAsMCkhhY2tlcnMubXUwggEiMA0GCSqGSIb3DQEBAQUA | |
| A4IBDwAwggEKAoIBAQDC6okaVIcBMk436jsVrhtjgam3ulyloQqD+4NCC1pF05v7 | |
| IK2nTn/4TSaUQEH4ebPZLko0vxQ+lP5dDvsZCAgYL1jpbU7zA6mZg09ozK1Ropgv | |
| lBAbYf1GkczAyekP6CngXoAtwPyEUTUkJnjgXf3mc/xXxyR98V9hGjB0OMSDGiiE | |
| F93NzP7dsXVQDk3moEiMO6KkFYmlvGWZgYEpzFBCE3r3OkUQvHKtOlubp0pygUbE | |
| VCNTfAmJKDQeqXvYi3PfCt0fBK14DUSwC9Kqj44lYLvKV6+Kjeopf7PCmNDl5V1z | |
| Xcj0ijbGQPRoyt5LcJ/txSiXpdEnsRYKdrYHY7+NAgMBAAGjUzBRMB0GA1UdDgQW | |
| BBRj03Ze/KE8a9WDc+zhiyclib90mDAfBgNVHSMEGDAWgBRj03Ze/KE8a9WDc+zh | |
| iyclib90mDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBhUYQ+ | |
| OoG1WTxxTgJwSskdlvH0yMTMbn0gP+qs0Uodu5Aw6q7hKwmKnpmLfoxRjkgOW5Mc | |
| dP2YdUPiWwCE+DI17hIxU9b60IR2wIZLy9lYeD5u3kHsV23lRZgU2flzsPU/56YF | |
| wS9RZlFa1sAIwmU5GHuLuqinh3yTNCyN0OG2GJu4SJWDED3LtRgd1PDljOYmPiHZ | |
| duLNtXnzmOPfE3ubKxVMmOLhpz2aG6PloetMb/oQwFMlD9+EGe6IRlYsy5xcJR+Y | |
| ap6SV9y++9ajcEDzdeHTw2+j5v3aD98wWbyCppRDiriMfxa4VmDg2gJyoPY0Eu8o | |
| NvXi7xAmW2Af0moz | |
| -----END CERTIFICATE----- | |
| subject=/C=mu/ST=pereybere/L=pamplemousse/O=hackersMU/OU=Hackers.mu | |
| issuer=/C=mu/ST=pereybere/L=pamplemousse/O=hackersMU/OU=Hackers.mu | |
| --- | |
| No client certificate CA names sent | |
| Peer signing digest: SHA256 | |
| Peer signature type: RSA-PSS | |
| --- | |
| SSL handshake has read 1486 bytes and written 507 bytes | |
| Verification error: self signed certificate | |
| --- | |
| New, TLSv1.3, Cipher is TLS13-AES-256-GCM-SHA384 | |
| Server public key is 2048 bit | |
| Secure Renegotiation IS NOT supported | |
| Compression: NONE | |
| Expansion: NONE | |
| No ALPN negotiated | |
| Early data was not sent | |
| SSL-Session: | |
| Protocol : TLSv1.3 | |
| Cipher : TLS13-AES-256-GCM-SHA384 | |
| Session-ID: | |
| Session-ID-ctx: | |
| Master-Key: ACB6E32CFE311C7F4BAD63EE354B0B6B91A4385C85ED43EC350170FB0E81ED8D0ED1C73461C4453FB90AE7712DD3D887 | |
| PSK identity: None | |
| PSK identity hint: None | |
| SRP username: None | |
| Start Time: 1510414466 | |
| Timeout : 7200 (sec) | |
| Verify return code: 18 (self signed certificate) | |
| Extended master secret: no | |
| --- | |
| read R BLOCK | |
| SSH-2.0-OpenSSH_7.4 | |
| 5. When the handshake was tested with openssl tls1.2 or 1.1, it failed. Example : | |
| [root@localhost stunnel-5.43]# openssl s_client -connect 127.0.0.1:3000 -tls1_1 | |
| CONNECTED(00000003) | |
| 139764765267776:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1471:SSL alert number 70 | |
| --- | |
| no peer certificate available | |
| --- | |
| No client certificate CA names sent | |
| --- | |
| SSL handshake has read 7 bytes and written 102 bytes | |
| Verification: OK | |
| --- | |
| New, (NONE), Cipher is (NONE) | |
| Secure Renegotiation IS NOT supported | |
| Compression: NONE | |
| Expansion: NONE | |
| No ALPN negotiated | |
| SSL-Session: | |
| Protocol : TLSv1.1 | |
| Cipher : 0000 | |
| Session-ID: | |
| Session-ID-ctx: | |
| Master-Key: | |
| PSK identity: None | |
| PSK identity hint: None | |
| SRP username: None | |
| Start Time: 1510414700 | |
| Timeout : 7200 (sec) | |
| Verify return code: 0 (ok) | |
| Extended master secret: no | |
| --- | |
| 6. We also verified compatibility with tls1.1 and 1.2 which is sucessful, once the modification is made in the stunnel.conf | |
| Regards | |
| https://tunnelix.com |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment