Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save jaykishanmutkawoa/8b439876a808ec0fe5061b61d329d2ea to your computer and use it in GitHub Desktop.
Save jaykishanmutkawoa/8b439876a808ec0fe5061b61d329d2ea to your computer and use it in GitHub Desktop.
Allowing user to specify TLSv1.3 in Stunnel
1.The stunnel beta version was compiled with openssl-dev 1.1
[root@localhost stunnel-5.43]# /usr/local/bin/stunnel version
[ ] Clients allowed=500
[.] stunnel 5.43 on x86_64-pc-linux-gnu platform
[.] Compiled/running with OpenSSL 1.1.1-dev xx XXX xxxx
[.] Threading:PTHREAD Sockets:POLL,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
[ ] errno: (*__errno_location ())
2.My stunnel configuration as follows:
[root@localhost ~]# cat /usr/local/etc/stunnel/stunnel.conf
chroot = /var/run/stunnel
setuid = stunnel
setgid = stunnel
pid = /stunnel.pid
debug = 7
output = /stunnel.log
sslVersion = TLSv1.3
[ssh]
key = /etc/stunnel/privatekey.pem
cert = /etc/stunnel/certificate.pem
accept = 3000
connect = 127.0.0.1:22
3. The git diff patch as follows:
[root@localhost stunnel-5.43]# git diff src/options.c
diff --git a/src/options.c b/src/options.c
index 94a2d8c..eee6be0 100644
--- a/src/options.c
+++ b/src/options.c
@@ -150,6 +150,9 @@ static const SSL_OPTION ssl_opts[] = {
#ifdef SSL_OP_NO_TLSv1_2
{"NO_TLSv1.2", SSL_OP_NO_TLSv1_2},
#endif
+#ifdef SSL_OP_NO_TLSv1_3
+ {"NO_TLSv1.3", SSL_OP_NO_TLSv1_3},
+#endif
{"PKCS1_CHECK_1", SSL_OP_PKCS1_CHECK_1},
{"PKCS1_CHECK_2", SSL_OP_PKCS1_CHECK_2},
{"NETSCAPE_CA_DN_BUG", SSL_OP_NETSCAPE_CA_DN_BUG},
@@ -2673,11 +2676,16 @@ NOEXPORT char *parse_service_option(CMD cmd, SERVICE_OPTIONS *section,
#endif /* !defined(OPENSSL_NO_TLS1_2) */
} else if(!strcasecmp(arg, "TLSv1.3")) {
#ifndef OPENSSL_NO_TLS1_3
- section->client_method=(SSL_METHOD *)TLSv1_3_client_method():
- section->server_method=(SSL_METHOD *)TLSv1_3 server_method();
+ section->client_method=(SSL_METHOD *)TLS_client_method();
+ section->server_method=(SSL_METHOD *)TLS_server_method();
+ section->ssl_options_set|= SSL_OP_NO_SSLv2;
+ section->ssl_options_set|= SSL_OP_NO_SSLv3;
+ section->ssl_options_set|= SSL_OP_NO_TLSv1;
+ section->ssl_options_set|= SSL_OP_NO_TLSv1_1;
+ section->ssl_options_set|= SSL_OP_NO_TLSv1_2;
#else /* defined(OPENSSL_NO_TLS1_3) */
return "TLSv1.3 not supported";
-#endif
+#endif /* !defined(OPENSSL_NO_TLS1_3) */
#endif /* OPENSSL_API_COMPAT<0x10100000L */
} else
return "Incorrect version of TLS protocol";
4.The stunnel configuration was tested with tls1.3 as follows:
[root@localhost stunnel-5.43]# openssl s_client -connect 127.0.0.1:3000
CONNECTED(00000003)
depth=0 C = mu, ST = pereybere, L = pamplemousse, O = hackersMU, OU = Hackers.mu
verify error:num=18:self signed certificate
verify return:1
depth=0 C = mu, ST = pereybere, L = pamplemousse, O = hackersMU, OU = Hackers.mu
verify return:1
---
Certificate chain
0 s:/C=mu/ST=pereybere/L=pamplemousse/O=hackersMU/OU=Hackers.mu
i:/C=mu/ST=pereybere/L=pamplemousse/O=hackersMU/OU=Hackers.mu
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDmDCCAoCgAwIBAgIJAOJVNbZE/AZVMA0GCSqGSIb3DQEBCwUAMGExCzAJBgNV
BAYTAm11MRIwEAYDVQQIDAlwZXJleWJlcmUxFTATBgNVBAcMDHBhbXBsZW1vdXNz
ZTESMBAGA1UECgwJaGFja2Vyc01VMRMwEQYDVQQLDApIYWNrZXJzLm11MB4XDTE3
MTExMDIyNTY0OFoXDTE4MTExMDIyNTY0OFowYTELMAkGA1UEBhMCbXUxEjAQBgNV
BAgMCXBlcmV5YmVyZTEVMBMGA1UEBwwMcGFtcGxlbW91c3NlMRIwEAYDVQQKDAlo
YWNrZXJzTVUxEzARBgNVBAsMCkhhY2tlcnMubXUwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQDC6okaVIcBMk436jsVrhtjgam3ulyloQqD+4NCC1pF05v7
IK2nTn/4TSaUQEH4ebPZLko0vxQ+lP5dDvsZCAgYL1jpbU7zA6mZg09ozK1Ropgv
lBAbYf1GkczAyekP6CngXoAtwPyEUTUkJnjgXf3mc/xXxyR98V9hGjB0OMSDGiiE
F93NzP7dsXVQDk3moEiMO6KkFYmlvGWZgYEpzFBCE3r3OkUQvHKtOlubp0pygUbE
VCNTfAmJKDQeqXvYi3PfCt0fBK14DUSwC9Kqj44lYLvKV6+Kjeopf7PCmNDl5V1z
Xcj0ijbGQPRoyt5LcJ/txSiXpdEnsRYKdrYHY7+NAgMBAAGjUzBRMB0GA1UdDgQW
BBRj03Ze/KE8a9WDc+zhiyclib90mDAfBgNVHSMEGDAWgBRj03Ze/KE8a9WDc+zh
iyclib90mDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBhUYQ+
OoG1WTxxTgJwSskdlvH0yMTMbn0gP+qs0Uodu5Aw6q7hKwmKnpmLfoxRjkgOW5Mc
dP2YdUPiWwCE+DI17hIxU9b60IR2wIZLy9lYeD5u3kHsV23lRZgU2flzsPU/56YF
wS9RZlFa1sAIwmU5GHuLuqinh3yTNCyN0OG2GJu4SJWDED3LtRgd1PDljOYmPiHZ
duLNtXnzmOPfE3ubKxVMmOLhpz2aG6PloetMb/oQwFMlD9+EGe6IRlYsy5xcJR+Y
ap6SV9y++9ajcEDzdeHTw2+j5v3aD98wWbyCppRDiriMfxa4VmDg2gJyoPY0Eu8o
NvXi7xAmW2Af0moz
-----END CERTIFICATE-----
subject=/C=mu/ST=pereybere/L=pamplemousse/O=hackersMU/OU=Hackers.mu
issuer=/C=mu/ST=pereybere/L=pamplemousse/O=hackersMU/OU=Hackers.mu
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
---
SSL handshake has read 1486 bytes and written 507 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS13-AES-256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS13-AES-256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: ACB6E32CFE311C7F4BAD63EE354B0B6B91A4385C85ED43EC350170FB0E81ED8D0ED1C73461C4453FB90AE7712DD3D887
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1510414466
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
---
read R BLOCK
SSH-2.0-OpenSSH_7.4
5. When the handshake was tested with openssl tls1.2 or 1.1, it failed. Example :
[root@localhost stunnel-5.43]# openssl s_client -connect 127.0.0.1:3000 -tls1_1
CONNECTED(00000003)
139764765267776:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1471:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 102 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1510414700
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
6. We also verified compatibility with tls1.1 and 1.2 which is sucessful, once the modification is made in the stunnel.conf
Regards
https://tunnelix.com
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment