Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Armageddon2013-10-29 15:30:38
linux
Armageddon, 2013-10-29 15:30:38

GOST 89 and stunnel?

There was a need to create a connection through stunnel (server and client) according to GOST encryption. I managed to set up stunnel, but only by automatically choosing the encryption method. If I write in the stunnel.conf config ciphers = GOST2001-GOST89-GOST89, then stunnel crashes with an error

SSL_CTX_set_cipher_list: 1410D0B9: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match

Openssl version: OpenSSL 1.0.1e 11 Feb 2013, loading libgost.so is registered in the config and if you enter openssl ciphers -v, then the list contains
GOST2001-GOST89-GOST89 SSLv3 Kx=unknown Au=unknown Enc=unknown Mac=unknown
GOST94- GOST89-GOST89 SSLv3 Kx=unknown Au=unknown Enc=unknown Mac=unknown
Full stunnel startup log:
Clients allowed=500
stunnel 4.56 on x86_64-unknown-linux-gnu platform
Compiled/running with OpenSSL 1.0.1e 11 Feb 2013
Threading:PTHREAD Sockets:POLL,IPv6 SSL:ENGINE,OCSP,FIPS
Reading configuration from file /stunnel/etc/stunnel/stunnel.conf.server
Enabling support for engine 'gost'
Initializing engine 1
Engine 1 initialized
FIPS mode is disabled
Compression enabled: 2 algorithm(s)
Snagged 64 random bytes from /root/.rnd
Wrote 1024 new random bytes to /root/.rnd
PRNG seeded successfully
Initializing service [https]
Certificate: /etc/ssl/certs/crt.crt
Certificate loaded
Key file: /etc/ssl/certs/private.key.pem
Private key loaded
Could not load DH parameters from /etc/ssl/certs/crt.crt
Using hardcoded DH parameters
DH initialized with 2048-bit key
ECDH initialized with curve prime256v1
SSL_CTX_set_cipher_list: 1410D0B9: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
Service [https]: Failed to initialize SSL context
str_stats: 12 block(s), 1081 data byte(s), 696 control byte(s)
How to make stunnel work with GOST?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

3 answer(s)
Report
A
Armageddon, 2013-10-29
@Armageddon

Solved the problem with GOST. I really did not want to get into the source code, but I found the problem.
I reviewed version 4.29 (stable for squeeze), 4.53 (stable for wheezy) and 4.56 (latest stable).
For 4.29, you need to edit the src/ssl.c file, find the line s_log(LOG_DEBUG, "Engine %d initialized", current_engine+1);and add the initialization of the SSL library after it. Without this command, stunnel will not be able to work with the gost engine, you can see this in the documentation for openssl on application development: SSL_library_init();
Then all that remains is to change the build rules for yourself in debian / rules (paths to openssl) and run dpkg-buildpackage
For 4.53 and 4.56, you need to edit src/options.c, find the line s_log(LOG_DEBUG, "Engine %d initialized", current_engine+1);and add SSL_library_init();
Can be configured and installed.

Report
@
@ntkt, 2013-10-29
_

Everywhere they write that to work with GOST, supposedly, a patched stunnel is needed.
How exactly to patch is not clear, but here there are hints that you need to rebuild with the --disable-rsa option
(This company, it seems, added code with GOST support to openssl, by the way)
cryptocom.ru/opensource/stunnel.html

Stunnel supports the ability to load the engine through its configuration file. Therefore, modification of the source texts is not required. However, the configure script needs to specify the --disable-rsa option when it is built. Stunnel built without this option only supports the RSA algorithm. With this option, all algorithms supported by the underlying OpenSSL are supported, including RSA.
ATTENTION! Stunnel does not read the standard OpenSSL configuration file. Therefore, the engine must be placed in the default engines directory of the OpenSSL installation.

Report
S
Sergey, 2013-10-30
@bondbig

And what's the point in that? In itself, the use of the GOST algorithm does not make the solution usable from the point of view of legislation. It is necessary to obtain a certificate for the correctness of embedding, otherwise the solution cannot be used to protect classified systems.
Or is it just an exercise for fun?

Similar questions
E
eight_bit2019-10-21 11:41:25
Laptop freezes on reboot after installing additional SSD, how to diagnose? 1Reply
M
medianoche2015-07-04 03:34:27
How to record tutoring? 8Reply
D
Denis Balandin2019-12-04 10:18:49
How do I replace the "Add to Cart" button for a specific brand? 2Reply
J
Jumangee2019-09-09 11:27:01
How to set up a home server on Linux? 8Reply
Y
Yu Yu2017-04-09 12:45:03
How to properly configure ext4 for SSD? 3Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question