1 (edited by roytam1 2018-12-04 06:54:41)

Topic: wolfssl with stunnel?

I read https://www.wolfssl.com/wolfssl-in-stunnel-tls-proxy-2/ and I'm thinking about recompile stunnel-4.15 which is used in my centos5 server(for some reasons I can't migrate the system to newer centos, or changing openssl version on it) to use wolfssl(in static library form if possible).

So the question is: is there a lower bound limit of stunnel to be used with wolfssl?

Share

Re: wolfssl with stunnel?

I actually tried compiling stunnel-5.48 against wolfssl-3.15.5 and it pops out lots of errors. How can I compile/configure?

my stunnel configure line is:
CC='gcc -I/usr/local/include/wolfssl -DOPENSSL_NO_ENGINE -DSSL2_VERSION=2' LDFLAGS=-L/usr/local/lib LIBS=-lwolfssl ./configure --disable-fips --disable-systemd

Share

Re: wolfssl with stunnel?

so 5.48 is not supported yet, I read git logs and try 5.40 instead.

<wolfssl/ssl.h> doesn't include <wolfssl/options.h> and I added this line before other includes.

make[2]: Entering directory `/home/roy/prj/stunnel-5.40/src'
  CC       env.lo
  CCLD     libstunnel.la
  CC       stunnel-tls.o
  CC       stunnel-str.o
  CC       stunnel-file.o
  CC       stunnel-client.o
client.c: In function ‘print_cipher’:
client.c:1098:5: warning: implicit declaration of function ‘SSL_get_current_compression’ [-Wimplicit-function-declaration]
     compression=SSL_get_current_compression(c->ssl);
     ^
client.c:1098:16: warning: assignment makes pointer from integer without a cast [enabled by default]
     compression=SSL_get_current_compression(c->ssl);
                ^
client.c:1099:5: warning: implicit declaration of function ‘SSL_get_current_expansion’ [-Wimplicit-function-declaration]
     expansion=SSL_get_current_expansion(c->ssl);
     ^
client.c:1099:14: warning: assignment makes pointer from integer without a cast [enabled by default]
     expansion=SSL_get_current_expansion(c->ssl);
              ^
client.c:1102:9: warning: implicit declaration of function ‘SSL_COMP_get_name’ [-Wimplicit-function-declaration]
         compression ? SSL_COMP_get_name(compression) : "null",
         ^
client.c:1102:54: warning: pointer/integer type mismatch in conditional expression [enabled by default]
         compression ? SSL_COMP_get_name(compression) : "null",
                                                      ^
client.c:1103:50: warning: pointer/integer type mismatch in conditional expression [enabled by default]
         expansion ? SSL_COMP_get_name(expansion) : "null");
                                                  ^
  CC       stunnel-log.o
  CC       stunnel-options.o
options.c: In function ‘parse_service_option’:
options.c:1534:9: warning: implicit declaration of function ‘OBJ_txt2nid’ [-Wimplicit-function-declaration]
         section->curve=OBJ_txt2nid(arg);
         ^
options.c:1543:9: warning: implicit declaration of function ‘OBJ_nid2ln’ [-Wimplicit-function-declaration]
         s_log(LOG_NOTICE, "%-22s = %s", "curve", OBJ_nid2ln(DEFAULT_CURVE));
         ^
options.c:1543:9: warning: format ‘%s’ expects argument of type ‘char *’, but argument 4 has type ‘int’ [-Wformat=]
  CC       stunnel-protocol.o
  CC       stunnel-network.o
  CC       stunnel-resolver.o
  CC       stunnel-ssl.o
ssl.c: In function ‘compression_init’:
ssl.c:167:9: warning: implicit declaration of function ‘sk_SSL_COMP_num’ [-Wimplicit-function-declaration]
         while(sk_SSL_COMP_num(methods))
         ^
ssl.c:168:13: warning: implicit declaration of function ‘sk_SSL_COMP_pop’ [-Wimplicit-function-declaration]
             OPENSSL_free(sk_SSL_COMP_pop(methods));
             ^
ssl.c:168:13: warning: passing argument 1 of ‘wolfSSL_OPENSSL_free’ makes pointer from integer without a cast [enabled by default]
In file included from /usr/local/include/wolfssl/ssl.h:2769:0,
                 from /usr/local/include/openssl/ssl.h:35,
                 from common.h:464,
                 from ssl.c:38:
/usr/local/include/wolfssl/openssl/crypto.h:40:18: note: expected ‘void *’ but argument is of type ‘int’
 WOLFSSL_API void wolfSSL_OPENSSL_free(void*);
                  ^
  CC       stunnel-ctx.o
ctx.c: In function ‘SSL_CTX_get_ciphers’:
ctx.c:292:15: error: dereferencing pointer to incomplete type
     return ctx->cipher_list;
               ^
ctx.c: In function ‘dh_init’:
ctx.c:307:5: warning: implicit declaration of function ‘sk_SSL_CIPHER_num’ [-Wimplicit-function-declaration]
     n=sk_SSL_CIPHER_num(ciphers);
     ^
ctx.c:310:9: warning: implicit declaration of function ‘sk_SSL_CIPHER_value’ [-Wimplicit-function-declaration]
         SSL_CIPHER_description(sk_SSL_CIPHER_value(ciphers, i),
         ^
ctx.c:311:13: warning: passing argument 1 of ‘wolfSSL_CIPHER_description’ makes pointer from integer without a cast [enabled by default]
             description, sizeof description);
             ^
In file included from /usr/local/include/openssl/ssl.h:35:0,
                 from common.h:464,
                 from ctx.c:38:
/usr/local/include/wolfssl/ssl.h:807:19: note: expected ‘const struct WOLFSSL_CIPHER *’ but argument is of type ‘int’
 WOLFSSL_API char* wolfSSL_CIPHER_description(const WOLFSSL_CIPHER*, char*, int);
                   ^
ctx.c: In function ‘ecdh_init’:
ctx.c:379:13: warning: implicit declaration of function ‘OBJ_nid2ln’ [-Wimplicit-function-declaration]
             OBJ_nid2ln(section->curve));
             ^
ctx.c:379:13: warning: format ‘%s’ expects argument of type ‘char *’, but argument 3 has type ‘int’ [-Wformat=]
ctx.c:382:5: warning: implicit declaration of function ‘SSL_CTX_set_tmp_ecdh’ [-Wimplicit-function-declaration]
     SSL_CTX_set_tmp_ecdh(section->ctx, ecdh);
     ^
ctx.c:385:9: warning: format ‘%s’ expects argument of type ‘char *’, but argument 3 has type ‘int’ [-Wformat=]
         OBJ_nid2ln(section->curve));
         ^
ctx.c: In function ‘ui_retry’:
ctx.c:830:10: error: ‘ERR_LIB_ASN1’ undeclared (first use in this function)
     case ERR_LIB_ASN1:
          ^
ctx.c:830:10: note: each undeclared identifier is reported only once for each function it appears in
ctx.c:832:10: error: ‘ERR_LIB_PKCS12’ undeclared (first use in this function)
     case ERR_LIB_PKCS12:
          ^
ctx.c:834:14: error: ‘PKCS12_R_MAC_VERIFY_FAILURE’ undeclared (first use in this function)
         case PKCS12_R_MAC_VERIFY_FAILURE:
              ^
ctx.c:839:10: error: ‘ERR_LIB_EVP’ undeclared (first use in this function)
     case ERR_LIB_EVP:
          ^
ctx.c:848:14: error: ‘PEM_R_BAD_PASSWORD_READ’ undeclared (first use in this function)
         case PEM_R_BAD_PASSWORD_READ:
              ^
ctx.c:853:10: error: ‘ERR_LIB_UI’ undeclared (first use in this function)
     case ERR_LIB_UI:
          ^
ctx.c:855:14: error: ‘UI_R_RESULT_TOO_LARGE’ undeclared (first use in this function)
         case UI_R_RESULT_TOO_LARGE:
              ^
ctx.c:856:14: error: ‘UI_R_RESULT_TOO_SMALL’ undeclared (first use in this function)
         case UI_R_RESULT_TOO_SMALL:
              ^
ctx.c:861:10: error: ‘ERR_LIB_USER’ undeclared (first use in this function)
     case ERR_LIB_USER: /* PKCS#11 hacks */
          ^
ctx.c: In function ‘info_callback’:
ctx.c:1120:19: error: ‘TLS_ST_CR_CERT_REQ’ undeclared (first use in this function)
         if(state==TLS_ST_CR_CERT_REQ)
                   ^
ctx.c:1124:13: warning: implicit declaration of function ‘SSL_get_client_CA_list’ [-Wimplicit-function-declaration]
             print_client_CA_list(SSL_get_client_CA_list(ssl));
             ^
ctx.c:1124:13: warning: passing argument 1 of ‘print_client_CA_list’ makes pointer from integer without a cast [enabled by default]
In file included from ctx.c:39:0:
prototypes.h:521:6: note: expected ‘const struct WOLFSSL_STACK *’ but argument is of type ‘int’
 void print_client_CA_list(const STACK_OF(X509_NAME) *);
      ^
ctx.c:1126:19: error: ‘TLS_ST_CR_SRVR_DONE’ undeclared (first use in this function)
         if(state==TLS_ST_CR_SRVR_DONE)
                   ^
ctx.c: In function ‘SSL_CTX_get_ciphers’:
ctx.c:293:1: warning: control reaches end of non-void function [-Wreturn-type]
 }
 ^
make[2]: *** [stunnel-ctx.o] Error 1
make[2]: Leaving directory `/home/roy/prj/stunnel-5.40/src'

Share

Re: wolfssl with stunnel?

Hi @roytam,

wolfSSL has ported and maintains a version of stunnel 5.4 where we integrated support for wolfSSL. We have tried getting those changes merged but so far Stunnel has not accepted them. Could you tell us what it is you are working on and the end goals for your project?

Could you also send an email to rod@wolfssl.com and let him know you are interested in evaluating our wolfSSL ported version of Stunnel?


Warm Regards,

K

5 (edited by roytam1 2018-12-05 19:25:35)

Re: wolfssl with stunnel?

Kaleb J. Himes wrote:

Hi @roytam,

wolfSSL has ported and maintains a version of stunnel 5.4 where we integrated support for wolfSSL. We have tried getting those changes merged but so far Stunnel has not accepted them. Could you tell us what it is you are working on and the end goals for your project?

Could you also send an email to rod@wolfssl.com and let him know you are interested in evaluating our wolfSSL ported version of Stunnel?


Warm Regards,

K

I sent an email as well.

Just out of curiosity, why don't you just put your forked stunnel and haproxy under https://github.com/wolfSSL ?

Share

Re: wolfssl with stunnel?

rotam1,

Just out of curiosity, why don't you just put your forked stunnel and haproxy under https://github.com/wolfSSL ?

That is a great question but unfortunately one I do not know the answer to. It was a decision made by our management and I am not privy to their reasoning!

Warm Regards,

K

Re: wolfssl with stunnel?

Kaleb J. Himes wrote:

rotam1,

Just out of curiosity, why don't you just put your forked stunnel and haproxy under https://github.com/wolfSSL ?

That is a great question but unfortunately one I do not know the answer to. It was a decision made by our management and I am not privy to their reasoning!

Warm Regards,

K

Some days after I sent email to you(or your colleagues) and no reply. Am I being rejected from evaluation of wolfSSL's version of stunnel and/or haproxy?

Share

Re: wolfssl with stunnel?

roytam1,

No not at all, so sorry for the delay. I had asked you to contact rich@wolfssl.com who has been out sick all week with the Flu. I have sent your contact info to Tim Pickering of wolfSSL in Richs absence. Please expect an email from Tim shortly.

Warm Regards,

K

9 (edited by roytam1 2018-12-18 18:06:25)

Re: wolfssl with stunnel?

Kaleb J. Himes wrote:

roytam1,

No not at all, so sorry for the delay. I had asked you to contact rich@wolfssl.com who has been out sick all week with the Flu. I have sent your contact info to Tim Pickering of wolfSSL in Richs absence. Please expect an email from Tim shortly.

Warm Regards,

K

yet another days passed and still no response :S

EDIT: finally got reply from Rich. Glad that you can consider releasing source under GPL.

Share

Re: wolfssl with stunnel?

So I found your stunnel fork can be compiled with wolfssl after some hacking on config.h and I can test the library with various clients.
I also opened an issue here: https://github.com/wolfSSL/wolfssl/issues/1999

Merry Christmas and happy new year!

Share

Re: wolfssl with stunnel?

@roytam1,

Yes that branch you found was our work which we attempted to get the Stunnel maintainer to accept into the master stunnel repository. Unfortunately he did not ultimately accept our contribution and the effort is now out-dated.

You'll notice the last update on that branch was in September of 2015. That means we would have been working off our master in github and the next most recent release would be wolfSSL v3.6.8. Link: https://github.com/wolfSSL/wolfssl/releases/tag/v3.6.8

Have you tried running your tests with that version of wolfSSL? Also I noticed in your github issue you mention you are building on Windows. We have not tested any of this in Windows and since you are using the ./configure script I can only assume you are using a Cygwin-like *NIX emulator environment? If building on windows we recommend using Visual Studio and the wolfssl/wolfssl64.sln solution as there are often issues with *NIX emulated environments and the auto-tools.

- K

Re: wolfssl with stunnel?

Kaleb J. Himes wrote:

@roytam1,

Yes that branch you found was our work which we attempted to get the Stunnel maintainer to accept into the master stunnel repository. Unfortunately he did not ultimately accept our contribution and the effort is now out-dated.

You'll notice the last update on that branch was in September of 2015. That means we would have been working off our master in github and the next most recent release would be wolfSSL v3.6.8. Link: https://github.com/wolfSSL/wolfssl/releases/tag/v3.6.8

Have you tried running your tests with that version of wolfSSL? Also I noticed in your github issue you mention you are building on Windows. We have not tested any of this in Windows and since you are using the ./configure script I can only assume you are using a Cygwin-like *NIX emulator environment? If building on windows we recommend using Visual Studio and the wolfssl/wolfssl64.sln solution as there are often issues with *NIX emulated environments and the auto-tools.

- K

I build that stunnel under Linux (CentOS 5), and adding these lines in config.h in order to build with wolfssl-master:

#define OPENSSL_NO_COMP 1
#define OPENSSL_NO_ECDH 1
#define OPENSSL_NO_MD4 1

and the bug report is test against windows *clients*.

Share