Your message dated Tue, 22 Nov 2005 23:17:11 -0800 with message-id <[EMAIL PROTECTED]> and subject line Bug#338340: fixed in stunnel 2:3.26-5 has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 9 Nov 2005 17:27:05 +0000 >From [EMAIL PROTECTED] Wed Nov 09 09:27:05 2005 Return-path: <[EMAIL PROTECTED]> Received: from cryptocom.ipmce.ru (mx.cryptocom.ru) [194.85.185.72] by spohr.debian.org with esmtp (Exim 3.36 1 (Debian)) id 1EZtiz-0004ui-00; Wed, 09 Nov 2005 09:27:05 -0800 Received: by mx.cryptocom.ru (Postfix, from userid 500) id 057C8F61A; Wed, 9 Nov 2005 20:27:00 +0300 (MSK) Received: from lynx.lan.cryptocom.ru (lynx.lan.cryptocom.ru [10.51.17.202]) by mx.cryptocom.ru (Postfix) with ESMTP id D9F7DF617 for <[EMAIL PROTECTED]>; Wed, 9 Nov 2005 20:26:59 +0300 (MSK) Received: from vitus by lynx.lan.cryptocom.ru with local (Exim 3.36 #1 (Debian)) id 1EZtil-0006iY-00 for <[EMAIL PROTECTED]>; Wed, 09 Nov 2005 20:26:51 +0300 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Victor B. Wagner" <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: stunnel doesn't support DSA server certificates. X-Mailer: reportbug 3.8 Date: Wed, 09 Nov 2005 20:26:51 +0300 Message-Id: <[EMAIL PROTECTED]> Sender: "Victor B. Wagner" <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2005_01_02 Package: stunnel Version: 2:3.26-3 Severity: normal Tags: patch Attempt to use DSA server certificate and private key with stunnel produces following error: [EMAIL PROTECTED] /usr/sbin/stunnel -d 4433 -p dsaserver.pem -D 7 -f -P none -l /bin/cat -- cat 2005.11.09 20:07:53 LOG5[23269:16384]: Using 'cat' as tcpwrapper service name 2005.11.09 20:07:53 LOG7[23269:16384]: Snagged 64 random bytes from /home/vitus/.rnd 2005.11.09 20:07:53 LOG7[23269:16384]: Wrote 1024 new random bytes to /home/vitus/.rnd 2005.11.09 20:07:53 LOG7[23269:16384]: RAND_status claims sufficient entropy for the PRNG 2005.11.09 20:07:53 LOG6[23269:16384]: PRNG seeded successfully 2005.11.09 20:07:53 LOG7[23269:16384]: Certificate: dsaserver.pem 2005.11.09 20:07:53 LOG3[23269:16384]: SSL_CTX_use_RSAPrivateKey_file: error:0607907F:digital envelope routines:EVP_PKEY_get1_RSA:expecting an rsa key Problem is that upstream author deliberately uses RSA specific routine for loading private key if rsa support is compiled in, while generic routine SSL_CTX_use_PrivateKey_file used in case if stunnel compiled witout DSA support, handle both DSA and RSA keys (and any other types of keys, which can be supported by newer version of OpenSSL). To resolve this problem following patch can be applied to stunnel source. --- ssl.c.orig 2005-11-09 20:24:09.000000000 +0300 +++ ssl.c 2005-11-09 19:54:32.000000000 +0300 @@ -101,19 +103,19 @@ exit(1); } log(LOG_DEBUG, "Certificate: %s", options.pem); -#ifdef NO_RSA +/* #ifdef NO_RSA*/ if(!SSL_CTX_use_PrivateKey_file(ctx, options.pem, SSL_FILETYPE_PEM)) { sslerror("SSL_CTX_use_PrivateKey_file"); exit(1); } -#else /* NO_RSA */ - if(!SSL_CTX_use_RSAPrivateKey_file(ctx, options.pem, +/* #else *//* NO_RSA */ +/* if(!SSL_CTX_use_RSAPrivateKey_file(ctx, options.pem, SSL_FILETYPE_PEM)) { sslerror("SSL_CTX_use_RSAPrivateKey_file"); exit(1); - } -#endif /* NO_RSA */ + } */ +/* #endif *//* NO_RSA */ if(!SSL_CTX_check_private_key(ctx)) { sslerror("Private key does not match the certificate"); exit(1); Note that configure option --enable-dh should also be used to provide work with DSA, and set of Diffie-Hellman parameters generated and put into stunnel.pem along with server key and certificate. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.4.27-p3 Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R) Versions of packages stunnel depends on: ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an ii libssl0.9.7 0.9.7e-3 SSL shared libraries ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra ii netbase 4.21 Basic TCP/IP networking system ii openssl 0.9.8a-3 Secure Socket Layer (SSL) binary a -- no debconf information --------------------------------------- Received: (at 338340-close) by bugs.debian.org; 23 Nov 2005 07:21:24 +0000 >From [EMAIL PROTECTED] Tue Nov 22 23:21:24 2005 Return-path: <[EMAIL PROTECTED]> Received: from katie by spohr.debian.org with local (Exim 4.50) id 1EeosR-0004yA-58; Tue, 22 Nov 2005 23:17:11 -0800 From: Julien Lemoine <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] X-Katie: $Revision: 1.56 $ Subject: Bug#338340: fixed in stunnel 2:3.26-5 Message-Id: <[EMAIL PROTECTED]> Sender: Archive Administrator <[EMAIL PROTECTED]> Date: Tue, 22 Nov 2005 23:17:11 -0800 X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 Source: stunnel Source-Version: 2:3.26-5 We believe that the bug you reported is fixed in the latest version of stunnel, which is due to be installed in the Debian FTP archive: stunnel_3.26-5.diff.gz to pool/main/s/stunnel/stunnel_3.26-5.diff.gz stunnel_3.26-5.dsc to pool/main/s/stunnel/stunnel_3.26-5.dsc stunnel_3.26-5_i386.deb to pool/main/s/stunnel/stunnel_3.26-5_i386.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [EMAIL PROTECTED], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Julien Lemoine <[EMAIL PROTECTED]> (supplier of updated stunnel package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [EMAIL PROTECTED]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Wed, 23 Nov 2005 08:07:15 +0100 Source: stunnel Binary: stunnel Architecture: source i386 Version: 2:3.26-5 Distribution: unstable Urgency: low Maintainer: Julien Lemoine <[EMAIL PROTECTED]> Changed-By: Julien Lemoine <[EMAIL PROTECTED]> Description: stunnel - Universal SSL tunnel for network daemons Closes: 338340 Changes: stunnel (2:3.26-5) unstable; urgency=low . * Enable Diffie-Hellman (Added --enable-dh flag to configure) (Closes: #338340) Files: 74f33b5d17b4b532f94e8139cc0d279b 640 net optional stunnel_3.26-5.dsc 601253a3f07b55f63fd36f92f8831225 25898 net optional stunnel_3.26-5.diff.gz d864c6e665af5bc5919986d8d1d39ae3 108190 net optional stunnel_3.26-5_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFDhBWuc29c8N2YKnURArP/AJ9egtXq87DsYfxf2Xu+xtyTHPnZDQCdGM1Y Fl12XZMQPkXTHifd3IR4CY8= =wCZK -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]