Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Stunnel patch for TLS 1.3
Stunnel running without the patch.
1. My stunnel.conf
=============================================================================================
[root@localhost ~]# cat /etc/stunnel/stunnel.conf
chroot = /var/run/stunnel
setuid = stunnel
setgid = stunnel
pid = /stunnel.pid
debug = 7
output = /stunnel.log
sslVersion = TLSv1
[mysql]
key = /etc/stunnel/privatekey.pem
cert = /etc/stunnel/certificate.pem
accept = 44323
connect = 127.0.0.1:3306
=============================================================================================
2. Netstat showing the service is running
=============================================================================================
[root@localhost ~]# netstat -ntpl | grep -i stunnel
tcp 0 0 0.0.0.0:44323 0.0.0.0:* LISTEN 4265/stunnel
=============================================================================================
3. TLS Protocol verification
=============================================================================================
[root@localhost ~]# openssl s_client -connect 127.0.0.1:44323
CONNECTED(00000003)
depth=0 C = mu, ST = savanne, L = vacoas, O = hackers.mu, OU = hackers mauritius, CN = JM, emailAddress = jmutkawoa@hackers.mu
verify error:num=18:self signed certificate
verify return:1
depth=0 C = mu, ST = savanne, L = vacoas, O = hackers.mu, OU = hackers mauritius, CN = JM, emailAddress = jmutkawoa@hackers.mu
verify return:1
---
Certificate chain
0 s:C = mu, ST = savanne, L = vacoas, O = hackers.mu, OU = hackers mauritius, CN = JM, emailAddress = jmutkawoa@hackers.mu
i:C = mu, ST = savanne, L = vacoas, O = hackers.mu, OU = hackers mauritius, CN = JM, emailAddress = jmutkawoa@hackers.mu
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIECTCCAvGgAwIBAgIUN95sDvEubgB5LUE+/WKARcCrJwwwDQYJKoZIhvcNAQEL
BQAwgZMxCzAJBgNVBAYTAm11MRAwDgYDVQQIDAdzYXZhbm5lMQ8wDQYDVQQHDAZ2
YWNvYXMxEzARBgNVBAoMCmhhY2tlcnMubXUxGjAYBgNVBAsMEWhhY2tlcnMgbWF1
cml0aXVzMQswCQYDVQQDDAJKTTEjMCEGCSqGSIb3DQEJARYUam11dGthd29hQGhh
Y2tlcnMubXUwHhcNMTgwMzEyMTMzMjE4WhcNMTkwMzEyMTMzMjE4WjCBkzELMAkG
A1UEBhMCbXUxEDAOBgNVBAgMB3NhdmFubmUxDzANBgNVBAcMBnZhY29hczETMBEG
A1UECgwKaGFja2Vycy5tdTEaMBgGA1UECwwRaGFja2VycyBtYXVyaXRpdXMxCzAJ
BgNVBAMMAkpNMSMwIQYJKoZIhvcNAQkBFhRqbXV0a2F3b2FAaGFja2Vycy5tdTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOx6nAcsBDqx0Re7VkXzjV8Y
YfLwtB93f9Kpi1/Xm6kV2j/B1DlH19sw+Js6qf1gJRonJehcRQtNwKAvxS8qW2fR
JXrms6B7K9VPWRUEaJfJlilwdCCvgJTUf1Cz6vAeywfK0/2MoM19V0CPL98bjxIV
/eBa3LLTy0eUgO+nZWa7xAUKUWpJg5JscoA4m9+Pj/+3DsDGgEaAOvPuBLwCU7fF
cHiElbOVqKdgK3oDV3wg/RLr4tOvsTqjLe9qXjEX4gBDanqqUeISGLsJjiGm7nbQ
ruaQM35PZIhBq3SOJP4bKrEF3TN+QrUV0RLNS0licXV+b6go9tXerYljX2TZB1kC
AwEAAaNTMFEwHQYDVR0OBBYEFIbjMzOlQKLDfWFYbZnwlaKAlDaFMB8GA1UdIwQY
MBaAFIbjMzOlQKLDfWFYbZnwlaKAlDaFMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggEBAH48Fp0EO5K5b1XQu1Dh5o8qvQ+CU/ADcfg+bghcQ/G3q/LZ
JY/BwuhkOnSc+aWZnOR2Dw9XFC33k1Fg4hGp+eytUaVD1QalBoSRbuXj8G5MMS58
MEHQGlC2JilII8WGTMY8QbGD8XmVKKZoOW3iOnJ0qGdF+QMEmOFVowDStTJY2gCU
eM4dizwb1NZJa08x5S9lYq+Peo+qOqIFxfB1HScuxFEz3C1OF8U7xhNlZnwJNkrW
I+Aa0yI37PU1KhBu+1DA3JDmU5YJFTh1bhilQcEng7Q3NUQdHpTBTXO5TzZpytT2
PrQ5zrDuWkE9YK/r+UQ56V/AjeD7dNT1yRWVS2s=
-----END CERTIFICATE-----
subject=C = mu, ST = savanne, L = vacoas, O = hackers.mu, OU = hackers mauritius, CN = JM, emailAddress = jmutkawoa@hackers.mu
issuer=C = mu, ST = savanne, L = vacoas, O = hackers.mu, OU = hackers mauritius, CN = JM, emailAddress = jmutkawoa@hackers.mu
---
No client certificate CA names sent
Peer signing digest: MD5-SHA1
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1566 bytes and written 445 bytes
Verification error: self signed certificate
---
New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: 2B5DE56A2A56E8E193E0A396847A36870EE6F3A82117FDB759C9CB34416E9E82
Session-ID-ctx:
Master-Key: C4C6690CB023110180EC5FDA26564F759BA8F8ABE2790B5AD69FF85B52584850BA4277251DD51F2B9D6210ED48AACD08
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1520862809
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: yes
---
read:errno=104
=============================================================================================
4. Now, Stunnel with the patch applied
=============================================================================================
[root@localhost stunnel-5.45]# cat stunnel_tls.patch
--- options.c.orig 2018-03-13 04:06:01.410477727 +0000
+++ options.c 2018-03-13 05:42:51.883782519 +0000
@@ -2675,6 +2675,18 @@ NOEXPORT char *parse_service_option(CMD
#else /* defined(OPENSSL_NO_TLS1_2) */
return "TLSv1.2 not supported";
#endif /* !defined(OPENSSL_NO_TLS1_2) */
+ } else if(!strcasecmp(arg, "TLSv1.3")) {
+#ifndef OPENSSL_NO_TLS1_3
+ section->client_method=(SSL_METHOD *)TLS_client_method();
+ section->server_method=(SSL_METHOD *)TLS_server_method();
+ section->ssl_options_set|= SSL_OP_NO_SSLv2;
+ section->ssl_options_set|= SSL_OP_NO_SSLv3;
+ section->ssl_options_set|= SSL_OP_NO_TLSv1;
+ section->ssl_options_set|= SSL_OP_NO_TLSv1_1;
+ section->ssl_options_set|= SSL_OP_NO_TLSv1_2;
+#else /* defined(OPENSSL_NO_TLS1_3) */
+ return "TLSv1.3 not supported";
+#endif
#endif /* OPENSSL_API_COMPAT<0x10100000L */
} else
return "Incorrect version of TLS protocol";
=============================================================================================
5. The configuration for stunnel was set up anew as follows:
=============================================================================================
[root@localhost stunnel-5.45]# cat /etc/stunnel/stunnel.conf
chroot = /var/run/stunnel
setuid = stunnel
setgid = stunnel
pid = /stunnel.pid
debug = 7
output = /stunnel.log
sslVersion = TLSv1.3
[ssh]
key = /etc/stunnel/privatekey.pem
cert = /etc/stunnel/certificate.pem
accept = 44323
connect = 127.0.0.1:22
=============================================================================================
6. The TLS1.3 was tested
=============================================================================================
[root@localhost stunnel-5.45]# openssl s_client -connect localhost:44323
CONNECTED(00000003)
depth=0 C = MU, ST = SAVANNE, L = RIVIERE DES ANGUILLES, O = HACKERS.MU, OU = HACKERSMU, CN = THETUNNELIX, emailAddress = JMUTKAWOA@HACKERS.MU
verify error:num=18:self signed certificate
verify return:1
depth=0 C = MU, ST = SAVANNE, L = RIVIERE DES ANGUILLES, O = HACKERS.MU, OU = HACKERSMU, CN = THETUNNELIX, emailAddress = JMUTKAWOA@HACKERS.MU
verify return:1
---
Certificate chain
0 s:C = MU, ST = SAVANNE, L = RIVIERE DES ANGUILLES, O = HACKERS.MU, OU = HACKERSMU, CN = THETUNNELIX, emailAddress = JMUTKAWOA@HACKERS.MU
i:C = MU, ST = SAVANNE, L = RIVIERE DES ANGUILLES, O = HACKERS.MU, OU = HACKERSMU, CN = THETUNNELIX, emailAddress = JMUTKAWOA@HACKERS.MU
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGKTCCBBGgAwIBAgIURaV3fzT0BB2LUbGJrB4aaPlm4KEwDQYJKoZIhvcNAQEL
BQAwgaMxCzAJBgNVBAYTAk1VMRAwDgYDVQQIDAdTQVZBTk5FMR4wHAYDVQQHDBVS
SVZJRVJFIERFUyBBTkdVSUxMRVMxEzARBgNVBAoMCkhBQ0tFUlMuTVUxEjAQBgNV
BAsMCUhBQ0tFUlNNVTEUMBIGA1UEAwwLVEhFVFVOTkVMSVgxIzAhBgkqhkiG9w0B
CQEWFEpNVVRLQVdPQUBIQUNLRVJTLk1VMB4XDTE4MDMxMzAzNTcyNFoXDTE5MDMx
MzAzNTcyNFowgaMxCzAJBgNVBAYTAk1VMRAwDgYDVQQIDAdTQVZBTk5FMR4wHAYD
VQQHDBVSSVZJRVJFIERFUyBBTkdVSUxMRVMxEzARBgNVBAoMCkhBQ0tFUlMuTVUx
EjAQBgNVBAsMCUhBQ0tFUlNNVTEUMBIGA1UEAwwLVEhFVFVOTkVMSVgxIzAhBgkq
hkiG9w0BCQEWFEpNVVRLQVdPQUBIQUNLRVJTLk1VMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEA5rWBEg6vwlQ3FhpJIVvzZwS5Cy+8obN+XgQddjVMuS68
2Sdbi+jbZjfafoDqWgkXRHqX3SSt6cqIzyBZdntS2Hd5HaozjKUOfAlSQIEoTX9Y
0ph8NFyINsPBILjgy5Sk0LubD+gr4PBXwRziJFpWYAOTYftQ7J7maj6pjwCg/244
cz6BmBTKrBOdnBeyEQTGN0OEj2ytlnZvLbWyv/2Rj8QDvc/bP3Z1WPcVVMi+I2JP
3zIhLWG0f6A+iCgcC+cudk+me36qnMHD1NMucofjqmBjTnAixJs/k5hAfXm25nVM
CxZb7dajBCFCRgEfuC3iYhlNPUhrfdMhRIWgqo64lopXM+clQ9p8br/0yHXMMRmA
M7jpKrVNtkJivyV6Yw/TjtthgsKiEiTtaK5BBYD7U0TwIJ3tcALvm6e5G1zvDSI2
jHt8Jjmbtk3oXzoSidJy/iB/VJuqhcY5OGKMR5KFiu09u6ocgRzW071tZ2ei0t2P
Qs/WkalVoYPt62zRu8GVUjZRPHbgQ5TQGAPCurfJ5H1IA/yiaPUs4I/Lde5l1jDy
uQMUNWqvf8SdvRgKeIllF4glh7kl9LOgBwCoCuV8QF7RpgAb1qMb3UkmWoFcGQ5e
jNN3t3ZY0FFujZaj6hs8yxoPXM7/L6qo0v6vEtDocjkRZZ+WXK2YNUEFpSI7aDEC
AwEAAaNTMFEwHQYDVR0OBBYEFEU4lqgVIiXDeyuOdYE1QFWX46tOMB8GA1UdIwQY
MBaAFEU4lqgVIiXDeyuOdYE1QFWX46tOMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
hvcNAQELBQADggIBAA6++sNn6jjfNZ8LJZ8HnC4Cd8Vkh9W3GRNjUQ8Kjj5I0gO4
d2sNPE3CV0317qjjo4B6WKc4/lriZAHE+TX9t8VMwfO7+E22A8Y64UGpcXuNlOId
NvF8wb5M3BwpOOzXNv3x45JDuUWZU3oXllV9xxFMdFnaDRU79DF/QKrOU0Llp5tO
RZbzvks2hdV1G1bqN5q63st3OifJlLWyGZ1QYDXA39fsagBqM2+CeXK5jIhbsymW
BFzb8jR66r0MgiWl+txpIatxssxVwr2zLewaZDgOqe/Gx5zZOyTb59k42EBjPXgP
qN5KTB/zchPM3i1RpEO2Hsa2J0otIx8lROmk1yRsBQZWjbUUqvf5ixBXPjtpxMqw
MDPiq4TEJ5fZVWV7tkGoeXoROiVCaqCNlPKIs5rw3fWgoS183eMWKOs3F2Uw/zYF
BoooEln4Dsq4BwHxCVjBaGS0jeLscaz8JTWXheZSaO6YCmZf0dDsNk4xWCAp8Ljc
1rLKxX/MiykvgBu0iUog26fp72wC45igG78doXEtslRsG1Usv1uP5AcsyK9rWkZG
fVCRkmlDvO/Tzq3wUQ/gN5LzYZYg3VQQQg6Bjkz+wk1PxSSXq3uAIGeIlCxmlBye
0Ozq/8MBA8zh/6d5IPm4wi3u+n76XgkDVbfklJu2EEKf6F+hyLJBxTqhGSE4
-----END CERTIFICATE-----
subject=C = MU, ST = SAVANNE, L = RIVIERE DES ANGUILLES, O = HACKERS.MU, OU = HACKERSMU, CN = THETUNNELIX, emailAddress = JMUTKAWOA@HACKERS.MU
issuer=C = MU, ST = SAVANNE, L = RIVIERE DES ANGUILLES, O = HACKERS.MU, OU = HACKERSMU, CN = THETUNNELIX, emailAddress = JMUTKAWOA@HACKERS.MU
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2523 bytes and written 727 bytes
Verification error: self signed certificate
---
New, TLSv1.3, Cipher is TLS13-AES-256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS13-AES-256-GCM-SHA384
Session-ID:
Session-ID-ctx:
Master-Key: 9F899B9631BEF340F56DB65EAF8A5700507933F76377A9D2D2B5BF55C431891D7A20E401DB59C93835CDC53935A50882
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1520920053
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
Extended master secret: no
---
read R BLOCK
closed
=============================================================================================
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment