Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Stunnel running without the patch.
- 1. My stunnel.conf
- =============================================================================================
- [root@localhost ~]# cat /etc/stunnel/stunnel.conf
- chroot = /var/run/stunnel
- setuid = stunnel
- setgid = stunnel
- pid = /stunnel.pid
- debug = 7
- output = /stunnel.log
- sslVersion = TLSv1
- [mysql]
- key = /etc/stunnel/privatekey.pem
- cert = /etc/stunnel/certificate.pem
- accept = 44323
- connect = 127.0.0.1:3306
- =============================================================================================
- 2. Netstat showing the service is running
- =============================================================================================
- [root@localhost ~]# netstat -ntpl | grep -i stunnel
- tcp 0 0 0.0.0.0:44323 0.0.0.0:* LISTEN 4265/stunnel
- =============================================================================================
- 3. TLS Protocol verification
- =============================================================================================
- [root@localhost ~]# openssl s_client -connect 127.0.0.1:44323
- CONNECTED(00000003)
- depth=0 C = mu, ST = savanne, L = vacoas, O = hackers.mu, OU = hackers mauritius, CN = JM, emailAddress = jmutkawoa@hackers.mu
- verify error:num=18:self signed certificate
- verify return:1
- depth=0 C = mu, ST = savanne, L = vacoas, O = hackers.mu, OU = hackers mauritius, CN = JM, emailAddress = jmutkawoa@hackers.mu
- verify return:1
- ---
- Certificate chain
- 0 s:C = mu, ST = savanne, L = vacoas, O = hackers.mu, OU = hackers mauritius, CN = JM, emailAddress = jmutkawoa@hackers.mu
- i:C = mu, ST = savanne, L = vacoas, O = hackers.mu, OU = hackers mauritius, CN = JM, emailAddress = jmutkawoa@hackers.mu
- ---
- Server certificate
- -----BEGIN CERTIFICATE-----
- MIIECTCCAvGgAwIBAgIUN95sDvEubgB5LUE+/WKARcCrJwwwDQYJKoZIhvcNAQEL
- BQAwgZMxCzAJBgNVBAYTAm11MRAwDgYDVQQIDAdzYXZhbm5lMQ8wDQYDVQQHDAZ2
- YWNvYXMxEzARBgNVBAoMCmhhY2tlcnMubXUxGjAYBgNVBAsMEWhhY2tlcnMgbWF1
- cml0aXVzMQswCQYDVQQDDAJKTTEjMCEGCSqGSIb3DQEJARYUam11dGthd29hQGhh
- Y2tlcnMubXUwHhcNMTgwMzEyMTMzMjE4WhcNMTkwMzEyMTMzMjE4WjCBkzELMAkG
- A1UEBhMCbXUxEDAOBgNVBAgMB3NhdmFubmUxDzANBgNVBAcMBnZhY29hczETMBEG
- A1UECgwKaGFja2Vycy5tdTEaMBgGA1UECwwRaGFja2VycyBtYXVyaXRpdXMxCzAJ
- BgNVBAMMAkpNMSMwIQYJKoZIhvcNAQkBFhRqbXV0a2F3b2FAaGFja2Vycy5tdTCC
- ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOx6nAcsBDqx0Re7VkXzjV8Y
- YfLwtB93f9Kpi1/Xm6kV2j/B1DlH19sw+Js6qf1gJRonJehcRQtNwKAvxS8qW2fR
- JXrms6B7K9VPWRUEaJfJlilwdCCvgJTUf1Cz6vAeywfK0/2MoM19V0CPL98bjxIV
- /eBa3LLTy0eUgO+nZWa7xAUKUWpJg5JscoA4m9+Pj/+3DsDGgEaAOvPuBLwCU7fF
- cHiElbOVqKdgK3oDV3wg/RLr4tOvsTqjLe9qXjEX4gBDanqqUeISGLsJjiGm7nbQ
- ruaQM35PZIhBq3SOJP4bKrEF3TN+QrUV0RLNS0licXV+b6go9tXerYljX2TZB1kC
- AwEAAaNTMFEwHQYDVR0OBBYEFIbjMzOlQKLDfWFYbZnwlaKAlDaFMB8GA1UdIwQY
- MBaAFIbjMzOlQKLDfWFYbZnwlaKAlDaFMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
- hvcNAQELBQADggEBAH48Fp0EO5K5b1XQu1Dh5o8qvQ+CU/ADcfg+bghcQ/G3q/LZ
- JY/BwuhkOnSc+aWZnOR2Dw9XFC33k1Fg4hGp+eytUaVD1QalBoSRbuXj8G5MMS58
- MEHQGlC2JilII8WGTMY8QbGD8XmVKKZoOW3iOnJ0qGdF+QMEmOFVowDStTJY2gCU
- eM4dizwb1NZJa08x5S9lYq+Peo+qOqIFxfB1HScuxFEz3C1OF8U7xhNlZnwJNkrW
- I+Aa0yI37PU1KhBu+1DA3JDmU5YJFTh1bhilQcEng7Q3NUQdHpTBTXO5TzZpytT2
- PrQ5zrDuWkE9YK/r+UQ56V/AjeD7dNT1yRWVS2s=
- -----END CERTIFICATE-----
- subject=C = mu, ST = savanne, L = vacoas, O = hackers.mu, OU = hackers mauritius, CN = JM, emailAddress = jmutkawoa@hackers.mu
- issuer=C = mu, ST = savanne, L = vacoas, O = hackers.mu, OU = hackers mauritius, CN = JM, emailAddress = jmutkawoa@hackers.mu
- ---
- No client certificate CA names sent
- Peer signing digest: MD5-SHA1
- Peer signature type: RSA
- Server Temp Key: ECDH, P-256, 256 bits
- ---
- SSL handshake has read 1566 bytes and written 445 bytes
- Verification error: self signed certificate
- ---
- New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA
- Server public key is 2048 bit
- Secure Renegotiation IS supported
- Compression: NONE
- Expansion: NONE
- No ALPN negotiated
- SSL-Session:
- Protocol : TLSv1
- Cipher : ECDHE-RSA-AES256-SHA
- Session-ID: 2B5DE56A2A56E8E193E0A396847A36870EE6F3A82117FDB759C9CB34416E9E82
- Session-ID-ctx:
- Master-Key: C4C6690CB023110180EC5FDA26564F759BA8F8ABE2790B5AD69FF85B52584850BA4277251DD51F2B9D6210ED48AACD08
- PSK identity: None
- PSK identity hint: None
- SRP username: None
- Start Time: 1520862809
- Timeout : 7200 (sec)
- Verify return code: 18 (self signed certificate)
- Extended master secret: yes
- ---
- read:errno=104
- =============================================================================================
- 4. Now, Stunnel with the patch applied
- =============================================================================================
- [root@localhost stunnel-5.45]# cat stunnel_tls.patch
- --- options.c.orig 2018-03-13 04:06:01.410477727 +0000
- +++ options.c 2018-03-13 05:42:51.883782519 +0000
- @@ -2675,6 +2675,18 @@ NOEXPORT char *parse_service_option(CMD
- #else /* defined(OPENSSL_NO_TLS1_2) */
- return "TLSv1.2 not supported";
- #endif /* !defined(OPENSSL_NO_TLS1_2) */
- + } else if(!strcasecmp(arg, "TLSv1.3")) {
- +#ifndef OPENSSL_NO_TLS1_3
- + section->client_method=(SSL_METHOD *)TLS_client_method();
- + section->server_method=(SSL_METHOD *)TLS_server_method();
- + section->ssl_options_set|= SSL_OP_NO_SSLv2;
- + section->ssl_options_set|= SSL_OP_NO_SSLv3;
- + section->ssl_options_set|= SSL_OP_NO_TLSv1;
- + section->ssl_options_set|= SSL_OP_NO_TLSv1_1;
- + section->ssl_options_set|= SSL_OP_NO_TLSv1_2;
- +#else /* defined(OPENSSL_NO_TLS1_3) */
- + return "TLSv1.3 not supported";
- +#endif
- #endif /* OPENSSL_API_COMPAT<0x10100000L */
- } else
- return "Incorrect version of TLS protocol";
- =============================================================================================
- 5. The configuration for stunnel was set up anew as follows:
- =============================================================================================
- [root@localhost stunnel-5.45]# cat /etc/stunnel/stunnel.conf
- chroot = /var/run/stunnel
- setuid = stunnel
- setgid = stunnel
- pid = /stunnel.pid
- debug = 7
- output = /stunnel.log
- sslVersion = TLSv1.3
- [ssh]
- key = /etc/stunnel/privatekey.pem
- cert = /etc/stunnel/certificate.pem
- accept = 44323
- connect = 127.0.0.1:22
- =============================================================================================
- 6. The TLS1.3 was tested
- =============================================================================================
- [root@localhost stunnel-5.45]# openssl s_client -connect localhost:44323
- CONNECTED(00000003)
- depth=0 C = MU, ST = SAVANNE, L = RIVIERE DES ANGUILLES, O = HACKERS.MU, OU = HACKERSMU, CN = THETUNNELIX, emailAddress = JMUTKAWOA@HACKERS.MU
- verify error:num=18:self signed certificate
- verify return:1
- depth=0 C = MU, ST = SAVANNE, L = RIVIERE DES ANGUILLES, O = HACKERS.MU, OU = HACKERSMU, CN = THETUNNELIX, emailAddress = JMUTKAWOA@HACKERS.MU
- verify return:1
- ---
- Certificate chain
- 0 s:C = MU, ST = SAVANNE, L = RIVIERE DES ANGUILLES, O = HACKERS.MU, OU = HACKERSMU, CN = THETUNNELIX, emailAddress = JMUTKAWOA@HACKERS.MU
- i:C = MU, ST = SAVANNE, L = RIVIERE DES ANGUILLES, O = HACKERS.MU, OU = HACKERSMU, CN = THETUNNELIX, emailAddress = JMUTKAWOA@HACKERS.MU
- ---
- Server certificate
- -----BEGIN CERTIFICATE-----
- MIIGKTCCBBGgAwIBAgIURaV3fzT0BB2LUbGJrB4aaPlm4KEwDQYJKoZIhvcNAQEL
- BQAwgaMxCzAJBgNVBAYTAk1VMRAwDgYDVQQIDAdTQVZBTk5FMR4wHAYDVQQHDBVS
- SVZJRVJFIERFUyBBTkdVSUxMRVMxEzARBgNVBAoMCkhBQ0tFUlMuTVUxEjAQBgNV
- BAsMCUhBQ0tFUlNNVTEUMBIGA1UEAwwLVEhFVFVOTkVMSVgxIzAhBgkqhkiG9w0B
- CQEWFEpNVVRLQVdPQUBIQUNLRVJTLk1VMB4XDTE4MDMxMzAzNTcyNFoXDTE5MDMx
- MzAzNTcyNFowgaMxCzAJBgNVBAYTAk1VMRAwDgYDVQQIDAdTQVZBTk5FMR4wHAYD
- VQQHDBVSSVZJRVJFIERFUyBBTkdVSUxMRVMxEzARBgNVBAoMCkhBQ0tFUlMuTVUx
- EjAQBgNVBAsMCUhBQ0tFUlNNVTEUMBIGA1UEAwwLVEhFVFVOTkVMSVgxIzAhBgkq
- hkiG9w0BCQEWFEpNVVRLQVdPQUBIQUNLRVJTLk1VMIICIjANBgkqhkiG9w0BAQEF
- AAOCAg8AMIICCgKCAgEA5rWBEg6vwlQ3FhpJIVvzZwS5Cy+8obN+XgQddjVMuS68
- 2Sdbi+jbZjfafoDqWgkXRHqX3SSt6cqIzyBZdntS2Hd5HaozjKUOfAlSQIEoTX9Y
- 0ph8NFyINsPBILjgy5Sk0LubD+gr4PBXwRziJFpWYAOTYftQ7J7maj6pjwCg/244
- cz6BmBTKrBOdnBeyEQTGN0OEj2ytlnZvLbWyv/2Rj8QDvc/bP3Z1WPcVVMi+I2JP
- 3zIhLWG0f6A+iCgcC+cudk+me36qnMHD1NMucofjqmBjTnAixJs/k5hAfXm25nVM
- CxZb7dajBCFCRgEfuC3iYhlNPUhrfdMhRIWgqo64lopXM+clQ9p8br/0yHXMMRmA
- M7jpKrVNtkJivyV6Yw/TjtthgsKiEiTtaK5BBYD7U0TwIJ3tcALvm6e5G1zvDSI2
- jHt8Jjmbtk3oXzoSidJy/iB/VJuqhcY5OGKMR5KFiu09u6ocgRzW071tZ2ei0t2P
- Qs/WkalVoYPt62zRu8GVUjZRPHbgQ5TQGAPCurfJ5H1IA/yiaPUs4I/Lde5l1jDy
- uQMUNWqvf8SdvRgKeIllF4glh7kl9LOgBwCoCuV8QF7RpgAb1qMb3UkmWoFcGQ5e
- jNN3t3ZY0FFujZaj6hs8yxoPXM7/L6qo0v6vEtDocjkRZZ+WXK2YNUEFpSI7aDEC
- AwEAAaNTMFEwHQYDVR0OBBYEFEU4lqgVIiXDeyuOdYE1QFWX46tOMB8GA1UdIwQY
- MBaAFEU4lqgVIiXDeyuOdYE1QFWX46tOMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
- hvcNAQELBQADggIBAA6++sNn6jjfNZ8LJZ8HnC4Cd8Vkh9W3GRNjUQ8Kjj5I0gO4
- d2sNPE3CV0317qjjo4B6WKc4/lriZAHE+TX9t8VMwfO7+E22A8Y64UGpcXuNlOId
- NvF8wb5M3BwpOOzXNv3x45JDuUWZU3oXllV9xxFMdFnaDRU79DF/QKrOU0Llp5tO
- RZbzvks2hdV1G1bqN5q63st3OifJlLWyGZ1QYDXA39fsagBqM2+CeXK5jIhbsymW
- BFzb8jR66r0MgiWl+txpIatxssxVwr2zLewaZDgOqe/Gx5zZOyTb59k42EBjPXgP
- qN5KTB/zchPM3i1RpEO2Hsa2J0otIx8lROmk1yRsBQZWjbUUqvf5ixBXPjtpxMqw
- MDPiq4TEJ5fZVWV7tkGoeXoROiVCaqCNlPKIs5rw3fWgoS183eMWKOs3F2Uw/zYF
- BoooEln4Dsq4BwHxCVjBaGS0jeLscaz8JTWXheZSaO6YCmZf0dDsNk4xWCAp8Ljc
- 1rLKxX/MiykvgBu0iUog26fp72wC45igG78doXEtslRsG1Usv1uP5AcsyK9rWkZG
- fVCRkmlDvO/Tzq3wUQ/gN5LzYZYg3VQQQg6Bjkz+wk1PxSSXq3uAIGeIlCxmlBye
- 0Ozq/8MBA8zh/6d5IPm4wi3u+n76XgkDVbfklJu2EEKf6F+hyLJBxTqhGSE4
- -----END CERTIFICATE-----
- subject=C = MU, ST = SAVANNE, L = RIVIERE DES ANGUILLES, O = HACKERS.MU, OU = HACKERSMU, CN = THETUNNELIX, emailAddress = JMUTKAWOA@HACKERS.MU
- issuer=C = MU, ST = SAVANNE, L = RIVIERE DES ANGUILLES, O = HACKERS.MU, OU = HACKERSMU, CN = THETUNNELIX, emailAddress = JMUTKAWOA@HACKERS.MU
- ---
- No client certificate CA names sent
- Peer signing digest: SHA256
- Peer signature type: RSA-PSS
- Server Temp Key: ECDH, P-256, 256 bits
- ---
- SSL handshake has read 2523 bytes and written 727 bytes
- Verification error: self signed certificate
- ---
- New, TLSv1.3, Cipher is TLS13-AES-256-GCM-SHA384
- Server public key is 4096 bit
- Secure Renegotiation IS NOT supported
- Compression: NONE
- Expansion: NONE
- No ALPN negotiated
- Early data was not sent
- SSL-Session:
- Protocol : TLSv1.3
- Cipher : TLS13-AES-256-GCM-SHA384
- Session-ID:
- Session-ID-ctx:
- Master-Key: 9F899B9631BEF340F56DB65EAF8A5700507933F76377A9D2D2B5BF55C431891D7A20E401DB59C93835CDC53935A50882
- PSK identity: None
- PSK identity hint: None
- SRP username: None
- Start Time: 1520920053
- Timeout : 7200 (sec)
- Verify return code: 18 (self signed certificate)
- Extended master secret: no
- ---
- read R BLOCK
- closed
- =============================================================================================
Add Comment
Please, Sign In to add comment