We encounter problems when using PSK between a version of stunnel using openssl 1.0 and a version of stunnel using openssl 1.1.1 The problem being the following: 2019.09.16 13:36:28 LOG6[3]: PSK identity not found (session resumption?) 2019.09.16 13:36:28 LOG7[3]: TLS alert (write): fatal: unknown PSK identity 2019.09.16 13:36:28 LOG3[3]: SSL_accept: s3_srvr.c:2845: error:1408B0DF:SSL routines:ssl3_get_client_key_exchange:psk identity not found
No problems are encountered when using certificates or when the same versions of stunnel and openssl are used. In the latter case neither certificates nor PSK give any problems connecting. I am sorry if this has been posted before (could not find a similar question) Can anyone help me with this, please? We seem to be getting problems with PSK only when using openssl 1.0 versus openssl 1.1 The openssl and stunnel versions involved are: OLD OPENSSL USE SET-UP: openssl version OpenSSL 1.0.2r 26 Feb 2019 stunnel -version stunnel 5.55 on powerpc-ibm-aix7.2.2.0 platform Compiled/running with OpenSSL 1.0.2r 26 Feb 2019 Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Global options: RNDbytes = 1024 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options: ciphers = FIPS (with "fips = yes") ciphers = HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK (with "fips = no") curves = prime256v1 debug = daemon.notice logId = sequential options = NO_SSLv2 options = NO_SSLv3 sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none NEW OPENSSL USE SET-UP: openssl version OpenSSL 1.1.1c 28 May 2019 Stunnel -version stunnel 5.54 on powerpc-ibm-aix7.2.2.0 platform Compiled/running with OpenSSL 1.1.1c 28 May 2019 Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI Global options: RNDbytes = 1024 RNDfile = /dev/urandom RNDoverwrite = yes Service-level options: ciphers = FIPS (with "fips = yes") ciphers = HIGH:!aNULL:!SSLv2:!DH:!kDHEPSK (with "fips = no") ciphersuites = TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256 (with TLSv1.3) curves = X25519:P-256:X448:P-521:P-384 debug = daemon.notice logId = sequential options = NO_SSLv2 options = NO_SSLv3 sessionCacheSize = 1000 sessionCacheTimeout = 300 seconds stack = 65536 bytes TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds verify = none Both stunnel versions run on the same AIX platform (Identical OS) The setups are: SERVER SET-UP FOR STUNNEL USING OPENSSL 1.0.2.R : debug = debug syslog = no output = /path/to/logfile log = append pid = /path/to/pidfile cert = /path/to/cert key = /path/to/key CAFile = /path/to/CAfile CAPath = /path/to/CAdir PSKsecrets = /path/to/PSKfile [HkListenerSSL] client = no verifyChain = yes verifyPeer = yes accept = 0.0.0.0:9999 connect = localhost:25250 [HkListenerPSKO012] client = no accept = 0.0.0.0:9998 connect = localhost:25250 ciphers = PSK CLIENT SET-UP FOR STUNNEL USING OPENSSL 1.0.2.R : debug = debug syslog = no output = /path/to/logfile log = append pid = /path/to/pidfile cert = /path/to/cert key = /path/to/key CAFile = /path/to/CAfile CAPath = /path/to/CAdir PSKsecrets = /path/to/PSKfile [HkListenerSSL] client = yes verifyChain = yes verifyPeer = yes accept = 0.0.0.0:1119 connect = localhost:9999 [HkListenerPSKO013] client = yes accept = 0.0.0.0:1118 connect = localhost:9998 ciphers = PSK PSKFile for server and client content: HkListenerPSKO012:ZOOzMLROn5+Xy6PJ/lwnCgy5lq+Ak7OhOFS2s6vj4OU HkListenerPSKO013:ZOOzMLROn5+Xy6PJ/lwnCgy5lq+Ak7OhOFS2s6vj4OU SERVER SET-UP FOR STUNNEL USING OPENSSL 1.1.1.c : debug = debug syslog = no output = /path/to/logfile log = append pid = /path/to/pidfile cert = /path/to/cert key = /path/to/key CAFile = /path/to/CAfile CAPath = /path/to/CAdir PSKsecrets = /path/to/PSKfile sslVersionMin = TLSv1 sslVersionMax = TLSv1.2 [HkListenerSSL] client = no verifyChain = yes verifyPeer = yes accept = 0.0.0.0:9999 connect = localhost:25250 [HkListenerPSKO048] client = no accept = 0.0.0.0:9998 connect = localhost:25250 ciphers = PSK CLIENT SET-UP FOR STUNNEL USING OPENSSL 1.1.1.c : debug = debug syslog = no output = /path/to/logfile log = append pid = /path/to/pidfile cert = /path/to/cert key = /path/to/key CAFile = /path/to/CAfile CAPath = /path/to/CAdir PSKsecrets = /path/to/PSKfile sslVersionMin = TLSv1 sslVersionMax = TLSv1.2 [HkListenerSSL] client = yes verifyChain = yes verifyPeer = yes accept = localhost:4449 connect = dreps:9999 [HkListenerPSKO047] client = yes accept = localhost:4448 connect = dreps:9998 ciphers = PSK PSKFile for server and client set-up: HkListenerPSKO047:ZOOzMLROn5+Xy6PJ/lwnCgy5lq+Ak7OhOFS2s6vj4OU HkListenerPSKO048:ZOOzMLROn5+Xy6PJ/lwnCgy5lq+Ak7OhOFS2s6vj4OU It goes without saying that only one of the two server set-ups can be active during testing Well, that is the end of my’small’ mail 😉 Kind regards, Hannah Koperberg, de Volksbank in the Netherlands
_______________________________________________ stunnel-users mailing list [email protected] https://www.stunnel.org/cgi-bin/mailman/listinfo/stunnel-users
