In <list-1728662@2rosenthals.com>, on 03/06/21
at 07:03 AM, "Paul Smedley" <ecs-isp@2rosenthals.com> said:
Hi Paul,
>I am NOT seeing this here. I just tested the build and it's working
>fine in my environment. Please post the full output of trying to run
>stunnel, not just the one line with the internal error. There may be
>useful additional context around that error.
stunnel-5.58-os2-20210228-debug.zip starts fine here, but I did run into a
backwards compatibility issue:
Starting Stunnel daemon from
D:\SLAInc\stunnel\stunnel-to-steven-dnacih-com\etc stunnel
stunnel_to_steven.conf
[ ] Initializing inetd mode configuration
[ ] Clients allowed=4882
[.] stunnel 5.58 on i386-pc-os2-emx built by Paul Smedley on Feb 28 2021
[.] Compiled/running with OpenSSL 1.1.1j 16 Feb 2021
[.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,OCSP,PSK,SNI [ ] errno:
(* _errno())
[ ] Initializing inetd mode configuration
[.] Reading configuration from file
D:/SLAInc/stunnel/stunnel-to-steven-dnacih-com/etc/stunnel_to_steven.conf
[.] UTF-8 byte order mark not detected
[.] FIPS mode disabled
[ ] Compression disabled
[ ] No PRNG seeding was required
[ ] Initializing service [vnc]
[ ] stunnel default security level set: 2
[ ] Ciphers: HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK
[ ] TLSv1.3 ciphersuites:
TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256:TLS_CHACHA20_POLY1305_SHA256
[ ] TLS options: 0x02100004 (+0x00000000, -0x00000000)
[ ] Loading certificate from file: ssl/private/slainc.crt
[!] SSL_CTX_use_certificate_chain_file: ssl/ssl_rsa.c:301:
error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small [!]
Service [vnc]: Failed to initialize TLS context
[!] Configuration failed
[ ] Deallocating temporary section defaults
[ ] Deallocating section [vnc]
This occurs because my keys, created years ago, are 1028 bit.
The workaroud, for now, is to add:
securityLevel = 1
to the stunnel config file. This is sufficient to allow secure,
verification level 3 connections to the older stunnel builds. Of course,
the older builds are perfectly happy with the 1024 bit keys without this
config value.
This allows me to avoid rebuilding all the keys and certificates.