1 (edited by roytam1 2018-12-04 06:54:41)

Topic: wolfssl with stunnel?

I read https://www.wolfssl.com/wolfssl-in-stunnel-tls-proxy-2/ and I'm thinking about recompile stunnel-4.15 which is used in my centos5 server(for some reasons I can't migrate the system to newer centos, or changing openssl version on it) to use wolfssl(in static library form if possible).

So the question is: is there a lower bound limit of stunnel to be used with wolfssl?

Share

Re: wolfssl with stunnel?

I actually tried compiling stunnel-5.48 against wolfssl-3.15.5 and it pops out lots of errors. How can I compile/configure?

my stunnel configure line is:
CC='gcc -I/usr/local/include/wolfssl -DOPENSSL_NO_ENGINE -DSSL2_VERSION=2' LDFLAGS=-L/usr/local/lib LIBS=-lwolfssl ./configure --disable-fips --disable-systemd

Share

Re: wolfssl with stunnel?

so 5.48 is not supported yet, I read git logs and try 5.40 instead.

<wolfssl/ssl.h> doesn't include <wolfssl/options.h> and I added this line before other includes.

make[2]: Entering directory `/home/roy/prj/stunnel-5.40/src'
  CC       env.lo
  CCLD     libstunnel.la
  CC       stunnel-tls.o
  CC       stunnel-str.o
  CC       stunnel-file.o
  CC       stunnel-client.o
client.c: In function ‘print_cipher’:
client.c:1098:5: warning: implicit declaration of function ‘SSL_get_current_compression’ [-Wimplicit-function-declaration]
     compression=SSL_get_current_compression(c->ssl);
     ^
client.c:1098:16: warning: assignment makes pointer from integer without a cast [enabled by default]
     compression=SSL_get_current_compression(c->ssl);
                ^
client.c:1099:5: warning: implicit declaration of function ‘SSL_get_current_expansion’ [-Wimplicit-function-declaration]
     expansion=SSL_get_current_expansion(c->ssl);
     ^
client.c:1099:14: warning: assignment makes pointer from integer without a cast [enabled by default]
     expansion=SSL_get_current_expansion(c->ssl);
              ^
client.c:1102:9: warning: implicit declaration of function ‘SSL_COMP_get_name’ [-Wimplicit-function-declaration]
         compression ? SSL_COMP_get_name(compression) : "null",
         ^
client.c:1102:54: warning: pointer/integer type mismatch in conditional expression [enabled by default]
         compression ? SSL_COMP_get_name(compression) : "null",
                                                      ^
client.c:1103:50: warning: pointer/integer type mismatch in conditional expression [enabled by default]
         expansion ? SSL_COMP_get_name(expansion) : "null");
                                                  ^
  CC       stunnel-log.o
  CC       stunnel-options.o
options.c: In function ‘parse_service_option’:
options.c:1534:9: warning: implicit declaration of function ‘OBJ_txt2nid’ [-Wimplicit-function-declaration]
         section->curve=OBJ_txt2nid(arg);
         ^
options.c:1543:9: warning: implicit declaration of function ‘OBJ_nid2ln’ [-Wimplicit-function-declaration]
         s_log(LOG_NOTICE, "%-22s = %s", "curve", OBJ_nid2ln(DEFAULT_CURVE));
         ^
options.c:1543:9: warning: format ‘%s’ expects argument of type ‘char *’, but argument 4 has type ‘int’ [-Wformat=]
  CC       stunnel-protocol.o
  CC       stunnel-network.o
  CC       stunnel-resolver.o
  CC       stunnel-ssl.o
ssl.c: In function ‘compression_init’:
ssl.c:167:9: warning: implicit declaration of function ‘sk_SSL_COMP_num’ [-Wimplicit-function-declaration]
         while(sk_SSL_COMP_num(methods))
         ^
ssl.c:168:13: warning: implicit declaration of function ‘sk_SSL_COMP_pop’ [-Wimplicit-function-declaration]
             OPENSSL_free(sk_SSL_COMP_pop(methods));
             ^
ssl.c:168:13: warning: passing argument 1 of ‘wolfSSL_OPENSSL_free’ makes pointer from integer without a cast [enabled by default]
In file included from /usr/local/include/wolfssl/ssl.h:2769:0,
                 from /usr/local/include/openssl/ssl.h:35,
                 from common.h:464,
                 from ssl.c:38:
/usr/local/include/wolfssl/openssl/crypto.h:40:18: note: expected ‘void *’ but argument is of type ‘int’
 WOLFSSL_API void wolfSSL_OPENSSL_free(void*);
                  ^
  CC       stunnel-ctx.o
ctx.c: In function ‘SSL_CTX_get_ciphers’:
ctx.c:292:15: error: dereferencing pointer to incomplete type
     return ctx->cipher_list;
               ^
ctx.c: In function ‘dh_init’:
ctx.c:307:5: warning: implicit declaration of function ‘sk_SSL_CIPHER_num’ [-Wimplicit-function-declaration]
     n=sk_SSL_CIPHER_num(ciphers);
     ^
ctx.c:310:9: warning: implicit declaration of function ‘sk_SSL_CIPHER_value’ [-Wimplicit-function-declaration]
         SSL_CIPHER_description(sk_SSL_CIPHER_value(ciphers, i),
         ^
ctx.c:311:13: warning: passing argument 1 of ‘wolfSSL_CIPHER_description’ makes pointer from integer without a cast [enabled by default]
             description, sizeof description);
             ^
In file included from /usr/local/include/openssl/ssl.h:35:0,
                 from common.h:464,
                 from ctx.c:38:
/usr/local/include/wolfssl/ssl.h:807:19: note: expected ‘const struct WOLFSSL_CIPHER *’ but argument is of type ‘int’
 WOLFSSL_API char* wolfSSL_CIPHER_description(const WOLFSSL_CIPHER*, char*, int);
                   ^
ctx.c: In function ‘ecdh_init’:
ctx.c:379:13: warning: implicit declaration of function ‘OBJ_nid2ln’ [-Wimplicit-function-declaration]
             OBJ_nid2ln(section->curve));
             ^
ctx.c:379:13: warning: format ‘%s’ expects argument of type ‘char *’, but argument 3 has type ‘int’ [-Wformat=]
ctx.c:382:5: warning: implicit declaration of function ‘SSL_CTX_set_tmp_ecdh’ [-Wimplicit-function-declaration]
     SSL_CTX_set_tmp_ecdh(section->ctx, ecdh);
     ^
ctx.c:385:9: warning: format ‘%s’ expects argument of type ‘char *’, but argument 3 has type ‘int’ [-Wformat=]
         OBJ_nid2ln(section->curve));
         ^
ctx.c: In function ‘ui_retry’:
ctx.c:830:10: error: ‘ERR_LIB_ASN1’ undeclared (first use in this function)
     case ERR_LIB_ASN1:
          ^
ctx.c:830:10: note: each undeclared identifier is reported only once for each function it appears in
ctx.c:832:10: error: ‘ERR_LIB_PKCS12’ undeclared (first use in this function)
     case ERR_LIB_PKCS12:
          ^
ctx.c:834:14: error: ‘PKCS12_R_MAC_VERIFY_FAILURE’ undeclared (first use in this function)
         case PKCS12_R_MAC_VERIFY_FAILURE:
              ^
ctx.c:839:10: error: ‘ERR_LIB_EVP’ undeclared (first use in this function)
     case ERR_LIB_EVP:
          ^
ctx.c:848:14: error: ‘PEM_R_BAD_PASSWORD_READ’ undeclared (first use in this function)
         case PEM_R_BAD_PASSWORD_READ:
              ^
ctx.c:853:10: error: ‘ERR_LIB_UI’ undeclared (first use in this function)
     case ERR_LIB_UI:
          ^
ctx.c:855:14: error: ‘UI_R_RESULT_TOO_LARGE’ undeclared (first use in this function)
         case UI_R_RESULT_TOO_LARGE:
              ^
ctx.c:856:14: error: ‘UI_R_RESULT_TOO_SMALL’ undeclared (first use in this function)
         case UI_R_RESULT_TOO_SMALL:
              ^
ctx.c:861:10: error: ‘ERR_LIB_USER’ undeclared (first use in this function)
     case ERR_LIB_USER: /* PKCS#11 hacks */
          ^
ctx.c: In function ‘info_callback’:
ctx.c:1120:19: error: ‘TLS_ST_CR_CERT_REQ’ undeclared (first use in this function)
         if(state==TLS_ST_CR_CERT_REQ)
                   ^
ctx.c:1124:13: warning: implicit declaration of function ‘SSL_get_client_CA_list’ [-Wimplicit-function-declaration]
             print_client_CA_list(SSL_get_client_CA_list(ssl));
             ^
ctx.c:1124:13: warning: passing argument 1 of ‘print_client_CA_list’ makes pointer from integer without a cast [enabled by default]
In file included from ctx.c:39:0:
prototypes.h:521:6: note: expected ‘const struct WOLFSSL_STACK *’ but argument is of type ‘int’
 void print_client_CA_list(const STACK_OF(X509_NAME) *);
      ^
ctx.c:1126:19: error: ‘TLS_ST_CR_SRVR_DONE’ undeclared (first use in this function)
         if(state==TLS_ST_CR_SRVR_DONE)
                   ^
ctx.c: In function ‘SSL_CTX_get_ciphers’:
ctx.c:293:1: warning: control reaches end of non-void function [-Wreturn-type]
 }
 ^
make[2]: *** [stunnel-ctx.o] Error 1
make[2]: Leaving directory `/home/roy/prj/stunnel-5.40/src'

Share

Re: wolfssl with stunnel?

Hi @roytam,

wolfSSL has ported and maintains a version of stunnel 5.4 where we integrated support for wolfSSL. We have tried getting those changes merged but so far Stunnel has not accepted them. Could you tell us what it is you are working on and the end goals for your project?

Could you also send an email to rod@wolfssl.com and let him know you are interested in evaluating our wolfSSL ported version of Stunnel?


Warm Regards,

K

5 (edited by roytam1 2018-12-05 19:25:35)

Re: wolfssl with stunnel?

Kaleb J. Himes wrote:

Hi @roytam,

wolfSSL has ported and maintains a version of stunnel 5.4 where we integrated support for wolfSSL. We have tried getting those changes merged but so far Stunnel has not accepted them. Could you tell us what it is you are working on and the end goals for your project?

Could you also send an email to rod@wolfssl.com and let him know you are interested in evaluating our wolfSSL ported version of Stunnel?


Warm Regards,

K

I sent an email as well.

Just out of curiosity, why don't you just put your forked stunnel and haproxy under https://github.com/wolfSSL ?

Share

Re: wolfssl with stunnel?

rotam1,

Just out of curiosity, why don't you just put your forked stunnel and haproxy under https://github.com/wolfSSL ?

That is a great question but unfortunately one I do not know the answer to. It was a decision made by our management and I am not privy to their reasoning!

Warm Regards,

K

Re: wolfssl with stunnel?

Kaleb J. Himes wrote:

rotam1,

Just out of curiosity, why don't you just put your forked stunnel and haproxy under https://github.com/wolfSSL ?

That is a great question but unfortunately one I do not know the answer to. It was a decision made by our management and I am not privy to their reasoning!

Warm Regards,

K

Some days after I sent email to you(or your colleagues) and no reply. Am I being rejected from evaluation of wolfSSL's version of stunnel and/or haproxy?

Share

Re: wolfssl with stunnel?

roytam1,

No not at all, so sorry for the delay. I had asked you to contact rich@wolfssl.com who has been out sick all week with the Flu. I have sent your contact info to Tim Pickering of wolfSSL in Richs absence. Please expect an email from Tim shortly.

Warm Regards,

K