API tools faq
paste
Guest User

Untitled

a guest
Mar 21st, 2018
303
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 10.46 KB | None | 0 0
raw download clone embed print report
  1. Stunnel running without the patch.
  2.  
  3. 1. My stunnel.conf
  4. =============================================================================================
  5. [root@localhost ~]# cat /etc/stunnel/stunnel.conf
  6. chroot = /var/run/stunnel
  7. setuid = stunnel
  8. setgid = stunnel
  9. pid = /stunnel.pid
  10. debug = 7
  11. output = /stunnel.log
  12. sslVersion = TLSv1
  13. [mysql]
  14. key = /etc/stunnel/privatekey.pem
  15. cert = /etc/stunnel/certificate.pem
  16. accept = 44323
  17. connect = 127.0.0.1:3306
  18. =============================================================================================
  19.  
  20. 2. Netstat showing the service is running
  21. =============================================================================================
  22. [root@localhost ~]# netstat -ntpl | grep -i stunnel
  23. tcp 0 0 0.0.0.0:44323 0.0.0.0:* LISTEN 4265/stunnel
  24. =============================================================================================
  25.  
  26. 3. TLS Protocol verification
  27. =============================================================================================
  28. [root@localhost ~]# openssl s_client -connect 127.0.0.1:44323
  29. CONNECTED(00000003)
  30. depth=0 C = mu, ST = savanne, L = vacoas, O = hackers.mu, OU = hackers mauritius, CN = JM, emailAddress = jmutkawoa@hackers.mu
  31. verify error:num=18:self signed certificate
  32. verify return:1
  33. depth=0 C = mu, ST = savanne, L = vacoas, O = hackers.mu, OU = hackers mauritius, CN = JM, emailAddress = jmutkawoa@hackers.mu
  34. verify return:1
  35. ---
  36. Certificate chain
  37. 0 s:C = mu, ST = savanne, L = vacoas, O = hackers.mu, OU = hackers mauritius, CN = JM, emailAddress = jmutkawoa@hackers.mu
  38. i:C = mu, ST = savanne, L = vacoas, O = hackers.mu, OU = hackers mauritius, CN = JM, emailAddress = jmutkawoa@hackers.mu
  39. ---
  40. Server certificate
  41. -----BEGIN CERTIFICATE-----
  42. MIIECTCCAvGgAwIBAgIUN95sDvEubgB5LUE+/WKARcCrJwwwDQYJKoZIhvcNAQEL
  43. BQAwgZMxCzAJBgNVBAYTAm11MRAwDgYDVQQIDAdzYXZhbm5lMQ8wDQYDVQQHDAZ2
  44. YWNvYXMxEzARBgNVBAoMCmhhY2tlcnMubXUxGjAYBgNVBAsMEWhhY2tlcnMgbWF1
  45. cml0aXVzMQswCQYDVQQDDAJKTTEjMCEGCSqGSIb3DQEJARYUam11dGthd29hQGhh
  46. Y2tlcnMubXUwHhcNMTgwMzEyMTMzMjE4WhcNMTkwMzEyMTMzMjE4WjCBkzELMAkG
  47. A1UEBhMCbXUxEDAOBgNVBAgMB3NhdmFubmUxDzANBgNVBAcMBnZhY29hczETMBEG
  48. A1UECgwKaGFja2Vycy5tdTEaMBgGA1UECwwRaGFja2VycyBtYXVyaXRpdXMxCzAJ
  49. BgNVBAMMAkpNMSMwIQYJKoZIhvcNAQkBFhRqbXV0a2F3b2FAaGFja2Vycy5tdTCC
  50. ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOx6nAcsBDqx0Re7VkXzjV8Y
  51. YfLwtB93f9Kpi1/Xm6kV2j/B1DlH19sw+Js6qf1gJRonJehcRQtNwKAvxS8qW2fR
  52. JXrms6B7K9VPWRUEaJfJlilwdCCvgJTUf1Cz6vAeywfK0/2MoM19V0CPL98bjxIV
  53. /eBa3LLTy0eUgO+nZWa7xAUKUWpJg5JscoA4m9+Pj/+3DsDGgEaAOvPuBLwCU7fF
  54. cHiElbOVqKdgK3oDV3wg/RLr4tOvsTqjLe9qXjEX4gBDanqqUeISGLsJjiGm7nbQ
  55. ruaQM35PZIhBq3SOJP4bKrEF3TN+QrUV0RLNS0licXV+b6go9tXerYljX2TZB1kC
  56. AwEAAaNTMFEwHQYDVR0OBBYEFIbjMzOlQKLDfWFYbZnwlaKAlDaFMB8GA1UdIwQY
  57. MBaAFIbjMzOlQKLDfWFYbZnwlaKAlDaFMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
  58. hvcNAQELBQADggEBAH48Fp0EO5K5b1XQu1Dh5o8qvQ+CU/ADcfg+bghcQ/G3q/LZ
  59. JY/BwuhkOnSc+aWZnOR2Dw9XFC33k1Fg4hGp+eytUaVD1QalBoSRbuXj8G5MMS58
  60. MEHQGlC2JilII8WGTMY8QbGD8XmVKKZoOW3iOnJ0qGdF+QMEmOFVowDStTJY2gCU
  61. eM4dizwb1NZJa08x5S9lYq+Peo+qOqIFxfB1HScuxFEz3C1OF8U7xhNlZnwJNkrW
  62. I+Aa0yI37PU1KhBu+1DA3JDmU5YJFTh1bhilQcEng7Q3NUQdHpTBTXO5TzZpytT2
  63. PrQ5zrDuWkE9YK/r+UQ56V/AjeD7dNT1yRWVS2s=
  64. -----END CERTIFICATE-----
  65. subject=C = mu, ST = savanne, L = vacoas, O = hackers.mu, OU = hackers mauritius, CN = JM, emailAddress = jmutkawoa@hackers.mu
  66.  
  67. issuer=C = mu, ST = savanne, L = vacoas, O = hackers.mu, OU = hackers mauritius, CN = JM, emailAddress = jmutkawoa@hackers.mu
  68.  
  69. ---
  70. No client certificate CA names sent
  71. Peer signing digest: MD5-SHA1
  72. Peer signature type: RSA
  73. Server Temp Key: ECDH, P-256, 256 bits
  74. ---
  75. SSL handshake has read 1566 bytes and written 445 bytes
  76. Verification error: self signed certificate
  77. ---
  78. New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA
  79. Server public key is 2048 bit
  80. Secure Renegotiation IS supported
  81. Compression: NONE
  82. Expansion: NONE
  83. No ALPN negotiated
  84. SSL-Session:
  85. Protocol : TLSv1
  86. Cipher : ECDHE-RSA-AES256-SHA
  87. Session-ID: 2B5DE56A2A56E8E193E0A396847A36870EE6F3A82117FDB759C9CB34416E9E82
  88. Session-ID-ctx:
  89. Master-Key: C4C6690CB023110180EC5FDA26564F759BA8F8ABE2790B5AD69FF85B52584850BA4277251DD51F2B9D6210ED48AACD08
  90. PSK identity: None
  91. PSK identity hint: None
  92. SRP username: None
  93. Start Time: 1520862809
  94. Timeout : 7200 (sec)
  95. Verify return code: 18 (self signed certificate)
  96. Extended master secret: yes
  97. ---
  98. read:errno=104
  99. =============================================================================================
  100.  
  101. 4. Now, Stunnel with the patch applied
  102.  
  103. =============================================================================================
  104. [root@localhost stunnel-5.45]# cat stunnel_tls.patch
  105. --- options.c.orig 2018-03-13 04:06:01.410477727 +0000
  106. +++ options.c 2018-03-13 05:42:51.883782519 +0000
  107. @@ -2675,6 +2675,18 @@ NOEXPORT char *parse_service_option(CMD
  108. #else /* defined(OPENSSL_NO_TLS1_2) */
  109. return "TLSv1.2 not supported";
  110. #endif /* !defined(OPENSSL_NO_TLS1_2) */
  111. + } else if(!strcasecmp(arg, "TLSv1.3")) {
  112. +#ifndef OPENSSL_NO_TLS1_3
  113. + section->client_method=(SSL_METHOD *)TLS_client_method();
  114. + section->server_method=(SSL_METHOD *)TLS_server_method();
  115. + section->ssl_options_set|= SSL_OP_NO_SSLv2;
  116. + section->ssl_options_set|= SSL_OP_NO_SSLv3;
  117. + section->ssl_options_set|= SSL_OP_NO_TLSv1;
  118. + section->ssl_options_set|= SSL_OP_NO_TLSv1_1;
  119. + section->ssl_options_set|= SSL_OP_NO_TLSv1_2;
  120. +#else /* defined(OPENSSL_NO_TLS1_3) */
  121. + return "TLSv1.3 not supported";
  122. +#endif
  123. #endif /* OPENSSL_API_COMPAT<0x10100000L */
  124. } else
  125. return "Incorrect version of TLS protocol";
  126. =============================================================================================
  127.  
  128. 5. The configuration for stunnel was set up anew as follows:
  129.  
  130. =============================================================================================
  131. [root@localhost stunnel-5.45]# cat /etc/stunnel/stunnel.conf
  132. chroot = /var/run/stunnel
  133. setuid = stunnel
  134. setgid = stunnel
  135. pid = /stunnel.pid
  136. debug = 7
  137. output = /stunnel.log
  138. sslVersion = TLSv1.3
  139. [ssh]
  140. key = /etc/stunnel/privatekey.pem
  141. cert = /etc/stunnel/certificate.pem
  142. accept = 44323
  143. connect = 127.0.0.1:22
  144. =============================================================================================
  145.  
  146. 6. The TLS1.3 was tested
  147.  
  148. =============================================================================================
  149. [root@localhost stunnel-5.45]# openssl s_client -connect localhost:44323
  150. CONNECTED(00000003)
  151. depth=0 C = MU, ST = SAVANNE, L = RIVIERE DES ANGUILLES, O = HACKERS.MU, OU = HACKERSMU, CN = THETUNNELIX, emailAddress = JMUTKAWOA@HACKERS.MU
  152. verify error:num=18:self signed certificate
  153. verify return:1
  154. depth=0 C = MU, ST = SAVANNE, L = RIVIERE DES ANGUILLES, O = HACKERS.MU, OU = HACKERSMU, CN = THETUNNELIX, emailAddress = JMUTKAWOA@HACKERS.MU
  155. verify return:1
  156. ---
  157. Certificate chain
  158. 0 s:C = MU, ST = SAVANNE, L = RIVIERE DES ANGUILLES, O = HACKERS.MU, OU = HACKERSMU, CN = THETUNNELIX, emailAddress = JMUTKAWOA@HACKERS.MU
  159. i:C = MU, ST = SAVANNE, L = RIVIERE DES ANGUILLES, O = HACKERS.MU, OU = HACKERSMU, CN = THETUNNELIX, emailAddress = JMUTKAWOA@HACKERS.MU
  160. ---
  161. Server certificate
  162. -----BEGIN CERTIFICATE-----
  163. MIIGKTCCBBGgAwIBAgIURaV3fzT0BB2LUbGJrB4aaPlm4KEwDQYJKoZIhvcNAQEL
  164. BQAwgaMxCzAJBgNVBAYTAk1VMRAwDgYDVQQIDAdTQVZBTk5FMR4wHAYDVQQHDBVS
  165. SVZJRVJFIERFUyBBTkdVSUxMRVMxEzARBgNVBAoMCkhBQ0tFUlMuTVUxEjAQBgNV
  166. BAsMCUhBQ0tFUlNNVTEUMBIGA1UEAwwLVEhFVFVOTkVMSVgxIzAhBgkqhkiG9w0B
  167. CQEWFEpNVVRLQVdPQUBIQUNLRVJTLk1VMB4XDTE4MDMxMzAzNTcyNFoXDTE5MDMx
  168. MzAzNTcyNFowgaMxCzAJBgNVBAYTAk1VMRAwDgYDVQQIDAdTQVZBTk5FMR4wHAYD
  169. VQQHDBVSSVZJRVJFIERFUyBBTkdVSUxMRVMxEzARBgNVBAoMCkhBQ0tFUlMuTVUx
  170. EjAQBgNVBAsMCUhBQ0tFUlNNVTEUMBIGA1UEAwwLVEhFVFVOTkVMSVgxIzAhBgkq
  171. hkiG9w0BCQEWFEpNVVRLQVdPQUBIQUNLRVJTLk1VMIICIjANBgkqhkiG9w0BAQEF
  172. AAOCAg8AMIICCgKCAgEA5rWBEg6vwlQ3FhpJIVvzZwS5Cy+8obN+XgQddjVMuS68
  173. 2Sdbi+jbZjfafoDqWgkXRHqX3SSt6cqIzyBZdntS2Hd5HaozjKUOfAlSQIEoTX9Y
  174. 0ph8NFyINsPBILjgy5Sk0LubD+gr4PBXwRziJFpWYAOTYftQ7J7maj6pjwCg/244
  175. cz6BmBTKrBOdnBeyEQTGN0OEj2ytlnZvLbWyv/2Rj8QDvc/bP3Z1WPcVVMi+I2JP
  176. 3zIhLWG0f6A+iCgcC+cudk+me36qnMHD1NMucofjqmBjTnAixJs/k5hAfXm25nVM
  177. CxZb7dajBCFCRgEfuC3iYhlNPUhrfdMhRIWgqo64lopXM+clQ9p8br/0yHXMMRmA
  178. M7jpKrVNtkJivyV6Yw/TjtthgsKiEiTtaK5BBYD7U0TwIJ3tcALvm6e5G1zvDSI2
  179. jHt8Jjmbtk3oXzoSidJy/iB/VJuqhcY5OGKMR5KFiu09u6ocgRzW071tZ2ei0t2P
  180. Qs/WkalVoYPt62zRu8GVUjZRPHbgQ5TQGAPCurfJ5H1IA/yiaPUs4I/Lde5l1jDy
  181. uQMUNWqvf8SdvRgKeIllF4glh7kl9LOgBwCoCuV8QF7RpgAb1qMb3UkmWoFcGQ5e
  182. jNN3t3ZY0FFujZaj6hs8yxoPXM7/L6qo0v6vEtDocjkRZZ+WXK2YNUEFpSI7aDEC
  183. AwEAAaNTMFEwHQYDVR0OBBYEFEU4lqgVIiXDeyuOdYE1QFWX46tOMB8GA1UdIwQY
  184. MBaAFEU4lqgVIiXDeyuOdYE1QFWX46tOMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
  185. hvcNAQELBQADggIBAA6++sNn6jjfNZ8LJZ8HnC4Cd8Vkh9W3GRNjUQ8Kjj5I0gO4
  186. d2sNPE3CV0317qjjo4B6WKc4/lriZAHE+TX9t8VMwfO7+E22A8Y64UGpcXuNlOId
  187. NvF8wb5M3BwpOOzXNv3x45JDuUWZU3oXllV9xxFMdFnaDRU79DF/QKrOU0Llp5tO
  188. RZbzvks2hdV1G1bqN5q63st3OifJlLWyGZ1QYDXA39fsagBqM2+CeXK5jIhbsymW
  189. BFzb8jR66r0MgiWl+txpIatxssxVwr2zLewaZDgOqe/Gx5zZOyTb59k42EBjPXgP
  190. qN5KTB/zchPM3i1RpEO2Hsa2J0otIx8lROmk1yRsBQZWjbUUqvf5ixBXPjtpxMqw
  191. MDPiq4TEJ5fZVWV7tkGoeXoROiVCaqCNlPKIs5rw3fWgoS183eMWKOs3F2Uw/zYF
  192. BoooEln4Dsq4BwHxCVjBaGS0jeLscaz8JTWXheZSaO6YCmZf0dDsNk4xWCAp8Ljc
  193. 1rLKxX/MiykvgBu0iUog26fp72wC45igG78doXEtslRsG1Usv1uP5AcsyK9rWkZG
  194. fVCRkmlDvO/Tzq3wUQ/gN5LzYZYg3VQQQg6Bjkz+wk1PxSSXq3uAIGeIlCxmlBye
  195. 0Ozq/8MBA8zh/6d5IPm4wi3u+n76XgkDVbfklJu2EEKf6F+hyLJBxTqhGSE4
  196. -----END CERTIFICATE-----
  197. subject=C = MU, ST = SAVANNE, L = RIVIERE DES ANGUILLES, O = HACKERS.MU, OU = HACKERSMU, CN = THETUNNELIX, emailAddress = JMUTKAWOA@HACKERS.MU
  198.  
  199. issuer=C = MU, ST = SAVANNE, L = RIVIERE DES ANGUILLES, O = HACKERS.MU, OU = HACKERSMU, CN = THETUNNELIX, emailAddress = JMUTKAWOA@HACKERS.MU
  200.  
  201. ---
  202. No client certificate CA names sent
  203. Peer signing digest: SHA256
  204. Peer signature type: RSA-PSS
  205. Server Temp Key: ECDH, P-256, 256 bits
  206. ---
  207. SSL handshake has read 2523 bytes and written 727 bytes
  208. Verification error: self signed certificate
  209. ---
  210. New, TLSv1.3, Cipher is TLS13-AES-256-GCM-SHA384
  211. Server public key is 4096 bit
  212. Secure Renegotiation IS NOT supported
  213. Compression: NONE
  214. Expansion: NONE
  215. No ALPN negotiated
  216. Early data was not sent
  217. SSL-Session:
  218. Protocol : TLSv1.3
  219. Cipher : TLS13-AES-256-GCM-SHA384
  220. Session-ID:
  221. Session-ID-ctx:
  222. Master-Key: 9F899B9631BEF340F56DB65EAF8A5700507933F76377A9D2D2B5BF55C431891D7A20E401DB59C93835CDC53935A50882
  223. PSK identity: None
  224. PSK identity hint: None
  225. SRP username: None
  226. Start Time: 1520920053
  227. Timeout : 7200 (sec)
  228. Verify return code: 18 (self signed certificate)
  229. Extended master secret: no
  230. ---
  231. read R BLOCK
  232. closed
  233. =============================================================================================
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!