Hi! (sorry, I previously sent this off-list by mistake...)
On 2018-12-04 11:14, Małgorzata Olszówka wrote: >> Because I am using PSK and now the connection fails unless I disable TLS 1.3: >> LOG3[1]: SSL_accept: 141F9044: error:141F9044:SSL >> routines:tls_parse_ctos_psk:internal error > Hello, > I was able to replicate this error with OpenSSL-1.1.1 without stunnel. > It looks like the problem is caused by a long key. > I recommend upgrading the openssl version or shortening the key. Using openssl s_server/s_client, I found that the key length limit is 128 (i.e. 64 bytes or 512 bits). I tested this on an arch linux system (which already has openssl 1.1.1a), where there was no issue with longer keys, so this is probably a bug in 1.1.1. AFAICS, stunnel just gives a plain copy of the key from the PSK file, so if I use a psk key with 64 chars or less, it should work. I tried with a key length of 20 chars (the minimum accepted by stunnel), but now I get this error: LOG3[13]: SSL_accept: 14094438: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error Unfortunately, there is no openssl 1.1.1a rpm for Fedora yet (and building it myself is not something I would do light-heartedly), so I will stick with TLS 1.2 for now. Thanks and regards, Jakob _______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
