Hi Johann, I investigated this issue it and I found out that encrypted private keys were never working with OpenSSL 3.0 (regardless of stunnel version).
Thank you very much for reporting this bug! Please try building https://www.stunnel.org/downloads/beta/stunnel-5.66b1.tar.gz from source. It works fine in my tests. Also, https://www.stunnel.org/downloads/beta/stunnel-5.66b1-win64-installer.exe should fix it on Windows. Best regards, Mike On 15/08/2022 16:26, Johann Hörmann via stunnel-users wrote:
Hi, since stunnel 5.62 it does not take the passphrase for a client key anymore, instead it gives a 'bad decrypt' log at once. It is the same behaviour at Debian/sid Distro as well as with Windows10. Up to stunnel 5.61 the same stunnel.conf is accepted and the key gets loaded. Here is the top of our stunnel.conf: cert = /home/regula/cert.pem key = /home/regula/cert.key client = yes [-- snip --] Calling stunnel at the bash: $ stunnel stunnel.conf [-- snip --] [ ] Loading certificate from file: /home/regula/cert.pem [ ] Certificate loaded from file: /home/regula/cert.pem [ ] Loading private key from file: /home/regula/cert.key [!] error queue: ../ssl/ssl_rsa.c:384: error:0A080009:SSL routines::PEM lib [!] error queue: ../crypto/pkcs12/p12_decr.c:86: error:11800074:PKCS12 routines::pkcs12 cipherfinal error [!] error queue: ../providers/implementations/ciphers/ciphercommon_block.c:124: error:1C800064:Provider routines::bad decrypt [!] error queue: ../crypto/pkcs12/p12_decr.c:86: error:11800074:PKCS12 routines::pkcs12 cipherfinal error [!] SSL_CTX_use_PrivateKey_file: ../providers/implementations/ciphers/ciphercommon_block.c:124: error:1C800064:Provider routines::bad decrypt [!] Service [guacamole]: Failed to initialize TLS context [!] Configuration failed [-- snip --] $ ls -lh *pem *key -r-------- 1 regula regula 3,4K 22. Jun 16:52 cert.key -r-------- 1 regula regula 2,2K 22. Jun 16:45 cert.pem openssl does show the enter passphrase dialog and displays the private key: $ $ openssl rsa -in cert.key Enter pass phrase for cert.key: writing RSA key -----BEGIN PRIVATE KEY----- [-- snip --] -----END PRIVATE KEY----- ~$ dpkg -l|grep openssl ii openssl 3.0.4-2 amd64 Secure Sockets Layer toolkit - cryptographic utility ~$ dpkg -l|grep stunnel ii stunnel4 3:5.63-1+b1 amd64 Universal SSL tunnel for network daemons Why is there a different behaviour between openssl and stunnel > 5.61 in loading a private key file? Regards, Johann
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ stunnel-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
