On Monday, December 7, 2020, 03:27:01 AM GMT-5, Christian Keck
<[email protected]> wrote:
...
; You also need to disable TLS 1.2 or later, because the CryptoAPI engine
; currently does not support PSS
;sslVersionMax = TLSv1.1
Is that still valid? If so, it would explain why TLS > 1.1 fails in my setup.
YES Christian. If you want to use TLS 1.2 or later you can't use capi.
RegardsJose
Von: Christian Keck <[email protected]>
Gesendet: Dienstag, 10. November 2020 09:14
An: [email protected]
Betreff: [stunnel-users] Re: Stunnel and CAPI engine: Issues after OpenSSL
upgrade on server side
Hi Tom, Hi everyone,
thanks for your reply.
I tried the settings you posted, but with no luck. The error stays the same:
SSL_connect: ssl/ssl_rsa.c:36: error:140C618E:SSL
routines:SSL_use_certificate:ca md too weak
I think the only solution is to tweak the openssl.cnf in that way, that it
accepts the MD.
Changing the SECLEVEL like described here does not work for Stunnel
somehow:https://askubuntu.com/questions/1231799/certificate-error-after-upgrade-to-20-04
It seems to me as if the settings are not used at all. Maybe the openssl.cnf is
not used in CAPI mode, or the section „[ default_conf ]“ is wrong. If so – what
would be the correct label to use here?
Cheers,
Christian Keck
Von: Tom (AST) Watson <[email protected]>
Gesendet: Montag, 9. November 2020 21:13
An: Christian Keck <[email protected]>;[email protected]
Betreff: RE: Stunnel and CAPI engine: Issues after OpenSSL upgrade on server
side
Christian…
You might try the following in your stunnel.conf:
>>>>>
cert = /etc/ssl/certs/stunnel.pem # or equivalent
options = NO_SSLv2
options = NO_SSLv3
options = NO_TLSv1
options = NO_TLSv1.1
sslVersion = TLSv1.2
<<<<<
This seemed to work for me, as always YMMV!
Good luck.
From: Christian Keck <[email protected]>
Sent: Sunday, November 8, 2020 05:42
To: [email protected]
Subject: [External] [stunnel-users] Stunnel and CAPI engine: Issues after
OpenSSL upgrade on server side
Hi there,
we just upgraded a system that is used as a TLS-proxy for incoming connections
using client-ssl-handshake from an old CentOS 6 to a recent Ubuntu LTS.
By doing so, the OpenSSL was updated from 1.0.1e to 1.1.1f.
Right after installation, the new OpenSSL complained about „too weak ca
cypher“, so I had to add a line „CipherString = DEFAULT:@SECLEVEL=1“ to the
openssl.conf to make things work again.
After applying the changes, connections via browsers do work again using TLS
1.3.
(We will generate a new host-CA some day, but for now we need a running system)
Before the upgrade, Stunnel in CAPI-mode worked wih TLS 1.2 encryption. Now
after updating the server, it refused to connect at all.
Using version 5.56 of Stunnel, I see the following lines in the log:
error queue: ssl/statem/statem_lib.c:298: error:141F0006:SSL
routines:tls_construct_cert_verify:EVP lib
SSL_connect: engines/e_capi.c:814:
error:8006F074:lib(128):capi_rsa_priv_enc:function not supported
If I nail the protocol setting to TLS1.1 in the apache2-config, the connection
is possible again with version 5.56.
Any later versions of Stunnel completely refuse to work, I always get lines
like:
SSL_read: ssl/ssl_rsa.c:36: error:140C618E:SSL routines:SSL_use_certificate:ca
md too weak
I tried several things I found in the net regarding tweaking openssl.conf
and/or stunnel.conf, but I can’t get it running with version 5.57 or later.
So my questions is: What can I do to get Stunnel working again with at least
TLS1.2 (or even better TLS1.3 like I get in most browsers)?
Re-generating the host-CA (and thus needing to re-create all client certs) is
unfortunately no option for the moment.
Many thanks in advance!
Cheers,
Christian Keck
_______________________________________________
stunnel-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
stunnel-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
