Your message dated Tue, 22 Nov 2005 23:17:11 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#338340: fixed in stunnel 2:3.26-5
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 9 Nov 2005 17:27:05 +0000
>From [EMAIL PROTECTED] Wed Nov 09 09:27:05 2005
Return-path: <[EMAIL PROTECTED]>
Received: from cryptocom.ipmce.ru (mx.cryptocom.ru) [194.85.185.72]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1EZtiz-0004ui-00; Wed, 09 Nov 2005 09:27:05 -0800
Received: by mx.cryptocom.ru (Postfix, from userid 500)
id 057C8F61A; Wed, 9 Nov 2005 20:27:00 +0300 (MSK)
Received: from lynx.lan.cryptocom.ru (lynx.lan.cryptocom.ru [10.51.17.202])
by mx.cryptocom.ru (Postfix) with ESMTP id D9F7DF617
for <[EMAIL PROTECTED]>; Wed, 9 Nov 2005 20:26:59 +0300 (MSK)
Received: from vitus by lynx.lan.cryptocom.ru with local (Exim 3.36 #1 (Debian))
id 1EZtil-0006iY-00
for <[EMAIL PROTECTED]>; Wed, 09 Nov 2005 20:26:51 +0300
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: "Victor B. Wagner" <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: stunnel doesn't support DSA server certificates.
X-Mailer: reportbug 3.8
Date: Wed, 09 Nov 2005 20:26:51 +0300
Message-Id: <[EMAIL PROTECTED]>
Sender: "Victor B. Wagner" <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Package: stunnel
Version: 2:3.26-3
Severity: normal
Tags: patch
Attempt to use DSA server certificate and private key with stunnel
produces following error:
[EMAIL PROTECTED] /usr/sbin/stunnel -d 4433 -p dsaserver.pem -D 7 -f -P none
-l /bin/cat -- cat
2005.11.09 20:07:53 LOG5[23269:16384]: Using 'cat' as tcpwrapper service name
2005.11.09 20:07:53 LOG7[23269:16384]: Snagged 64 random bytes from
/home/vitus/.rnd
2005.11.09 20:07:53 LOG7[23269:16384]: Wrote 1024 new random bytes to
/home/vitus/.rnd
2005.11.09 20:07:53 LOG7[23269:16384]: RAND_status claims sufficient entropy
for the PRNG
2005.11.09 20:07:53 LOG6[23269:16384]: PRNG seeded successfully
2005.11.09 20:07:53 LOG7[23269:16384]: Certificate: dsaserver.pem
2005.11.09 20:07:53 LOG3[23269:16384]: SSL_CTX_use_RSAPrivateKey_file:
error:0607907F:digital envelope routines:EVP_PKEY_get1_RSA:expecting an
rsa key
Problem is that upstream author deliberately uses RSA specific routine
for loading private key if rsa support is compiled in, while generic
routine SSL_CTX_use_PrivateKey_file used in case if stunnel compiled
witout DSA support, handle both DSA and RSA keys (and any other types of
keys, which can be supported by newer version of OpenSSL).
To resolve this problem following patch can be applied to stunnel
source.
--- ssl.c.orig 2005-11-09 20:24:09.000000000 +0300
+++ ssl.c 2005-11-09 19:54:32.000000000 +0300
@@ -101,19 +103,19 @@
exit(1);
}
log(LOG_DEBUG, "Certificate: %s", options.pem);
-#ifdef NO_RSA
+/* #ifdef NO_RSA*/
if(!SSL_CTX_use_PrivateKey_file(ctx, options.pem,
SSL_FILETYPE_PEM)) {
sslerror("SSL_CTX_use_PrivateKey_file");
exit(1);
}
-#else /* NO_RSA */
- if(!SSL_CTX_use_RSAPrivateKey_file(ctx, options.pem,
+/* #else *//* NO_RSA */
+/* if(!SSL_CTX_use_RSAPrivateKey_file(ctx, options.pem,
SSL_FILETYPE_PEM)) {
sslerror("SSL_CTX_use_RSAPrivateKey_file");
exit(1);
- }
-#endif /* NO_RSA */
+ } */
+/* #endif *//* NO_RSA */
if(!SSL_CTX_check_private_key(ctx)) {
sslerror("Private key does not match the certificate");
exit(1);
Note that configure option --enable-dh should also be used to provide work with
DSA, and set of Diffie-Hellman parameters generated and put into stunnel.pem
along with server key and certificate.
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.27-p3
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R (charmap=KOI8-R)
Versions of packages stunnel depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libssl0.9.7 0.9.7e-3 SSL shared libraries
ii libwrap0 7.6.dbs-8 Wietse Venema's TCP wrappers libra
ii netbase 4.21 Basic TCP/IP networking system
ii openssl 0.9.8a-3 Secure Socket Layer (SSL) binary a
-- no debconf information
---------------------------------------
Received: (at 338340-close) by bugs.debian.org; 23 Nov 2005 07:21:24 +0000
>From [EMAIL PROTECTED] Tue Nov 22 23:21:24 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 4.50)
id 1EeosR-0004yA-58; Tue, 22 Nov 2005 23:17:11 -0800
From: Julien Lemoine <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#338340: fixed in stunnel 2:3.26-5
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Tue, 22 Nov 2005 23:17:11 -0800
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
Source: stunnel
Source-Version: 2:3.26-5
We believe that the bug you reported is fixed in the latest version of
stunnel, which is due to be installed in the Debian FTP archive:
stunnel_3.26-5.diff.gz
to pool/main/s/stunnel/stunnel_3.26-5.diff.gz
stunnel_3.26-5.dsc
to pool/main/s/stunnel/stunnel_3.26-5.dsc
stunnel_3.26-5_i386.deb
to pool/main/s/stunnel/stunnel_3.26-5_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Julien Lemoine <[EMAIL PROTECTED]> (supplier of updated stunnel package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 23 Nov 2005 08:07:15 +0100
Source: stunnel
Binary: stunnel
Architecture: source i386
Version: 2:3.26-5
Distribution: unstable
Urgency: low
Maintainer: Julien Lemoine <[EMAIL PROTECTED]>
Changed-By: Julien Lemoine <[EMAIL PROTECTED]>
Description:
stunnel - Universal SSL tunnel for network daemons
Closes: 338340
Changes:
stunnel (2:3.26-5) unstable; urgency=low
.
* Enable Diffie-Hellman (Added --enable-dh flag to configure)
(Closes: #338340)
Files:
74f33b5d17b4b532f94e8139cc0d279b 640 net optional stunnel_3.26-5.dsc
601253a3f07b55f63fd36f92f8831225 25898 net optional stunnel_3.26-5.diff.gz
d864c6e665af5bc5919986d8d1d39ae3 108190 net optional stunnel_3.26-5_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDhBWuc29c8N2YKnURArP/AJ9egtXq87DsYfxf2Xu+xtyTHPnZDQCdGM1Y
Fl12XZMQPkXTHifd3IR4CY8=
=wCZK
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
