cURL / Mailing Lists / curl-users / Single Mail

curl-users

Curl 7.16.2; Tests Using Stunnel

From: jayjwa <jayjwa_at_atr2.ath.cx>
Date: Fri, 13 Apr 2007 02:28:32 -0400

It took me awhile to figure this out so I thought I'd share it. When I was
testing this curl, tests such as 301 (the ones using Stunnel) would fail,
like so:

HTTPS server: /usr/sbin/stunnel /usr/local/src/curl-7.16.2/tests/stunnel.conf
stunnel exited with 1!
RUN: failed to start the HTTPS server
test 301 SKIPPED: failed starting HTTPS server (stunnel)
TESTFAIL: No tests were performed
TESTDONE: 1 tests were considered during 6 seconds.
TESTINFO: 1 tests were skipped due to these restraints:
TESTINFO: "failed starting HTTPS server (stunnel)" 1 times (301)

It's hard to see the stunnel.conf file, because it seems to get deleted after
the test. According to the log it's
/usr/local/src/curl-7.16.2/tests/stunnel.conf in my case. If you make a
hardlink to what its name will be (ln stunnel.conf another.conf) you can use
this new name to see the file. Changing the debug and output lines...

         CApath=/usr/local/src/curl-7.16.2/tests
         cert = ./stunnel.pem
         pid = /usr/local/src/curl-7.16.2/tests/.https.pid
         debug = daemon.info
         output = /dev/stdout
         foreground = yes

         [curltest]
         accept = 8991
         connect = 8990

Let's see the error from stunnel:

2007.04.13 01:14:01 LOG5[1479:3083049280]: Could not load DH parameters from
./stunnel.pem
2007.04.13 01:14:01 LOG4[1479:3083049280]: Diffie-Hellman initialization
failed
2007.04.13 01:14:01 LOG3[1479:3083049280]: Error reading certificate file:
./stunnel.pem
2007.04.13 01:14:01 LOG3[1479:3083049280]: SSL_CTX_use_certificate_chain_file:
906D06C: error:0906D06C:PEM routines:PEM_read_bio:no start line

I wondered why this was, and found my stunnel didn't seem to run the way I
figured it should. This was version stunnel-4.20. As it turns out, both my
stunnel's PEM file and the stunnel PEM cert/key file used in the tests:
seems to omit DH parameters.

fgrep 'DH PARA' /usr/local/src/curl-7.16.2/tests/stunnel.pem

Adding these allows the tests to complete. Here's the stunnel.pem again
(without the long English text output ) with some DH parameters on the end:

-----BEGIN CERTIFICATE-----
MIIDujCCAwigAwIBAgIGCcMA3QkhMA0GCSqGSIb3DQEBBAUAMHIxCzAJBgNVBAYT
AlNFMQ4wDAYDVQQIEwVTb2xuYTENMAsGA1UEBxMETW9vbzENMAsGA1UEChMESGF4
eDEOMAwGA1UECxMFQ29vbHgxETAPBgNVBAMTCHN0b3Jicm9yMRIwEAYDVQQDEwls
b2NhbGhvc3QwHhcNMDQwMTA1MTQ0MjU2WhcNMDgwMjEzMTQ0MjU2WjByMQswCQYD
VQQGEwJTRTEOMAwGA1UECBMFU29sbmExDTALBgNVBAcTBE1vb28xDTALBgNVBAoT
BEhheHgxDjAMBgNVBAsTBUNvb2x4MREwDwYDVQQDEwhzdG9yYnJvcjESMBAGA1UE
AxMJbG9jYWxob3N0MIG5MA0GCSqGSIb3DQEBAQUAA4GnADCBowKBmwNZN+oG6vJ8
DAze+FvOKSS49X4xGMxALhKRLhQQb7qvM+7BcMgRv+RKxkX7SNgcxKPLcIHf7QQ6
DBIlLXuAuVHQtWW9b06q64kBElkEwh6gP5Ia9JrRysGbu2U6NRP+xBU33dVwZjF0
7ocN9Pp392W4VxEc+g3+FkRzUEaahDGOabmjgKuqDdlKdZLzgJj7+9sEKpb7+FdG
56rZAgMBAAGjggEkMIIBIDARBglghkgBhvhCAQEEBAMCBkAwMwYJYIZIAYb4QgEN
BCYWJENVUkwgc3R1bm5lbCBzZXJ2ZXIgdGVzdCBjZXJ0aWZpY2F0ZTALBgNVHQ8E
BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwCQYDVR0TBAIwADAdBgNVHQ4EFgQU
NXc1O5uYPLbHmueoBLl8cK36N6kwNgYIKwYBBQUHAQsEKjAoMCYGCCsGAQUFBzAE
hhpodHRwczovL2xvY2FsaG9zdDo4NDMzLzUwOTA2BggrBgEFBQcBAQQqMCgwJgYI
KwYBBQUHMASGGmh0dHBzOi8vbG9jYWxob3N0Ojg0MzMvNTA5MBoGA1UdEQQTMBGH
BH8AAAGCCWxvY2FsaG9zdDANBgkqhkiG9w0BAQQFAAOBnAAAIHkvI0V6padfc8Lv
onuNqBwCMIg4SugCslkN597Yb8ZDEAUe3ArkOvzAHUngsD5D0gfbKblKP/P0bN6Y
Ft896NmH4QFsDAetZcCFf24AM4DbUQo5jtG+dkanI/7IxxNYJ1PQ64/yscdQFvHW
xhIX3Q6FqABjcN5nc80Rog+b6eS8QRX1BRnQqbGtocuptUgW5mWsSb+DR6pZbA==
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIC1AIBAAKBmwNZN+oG6vJ8DAze+FvOKSS49X4xGMxALhKRLhQQb7qvM+7BcMgR
v+RKxkX7SNgcxKPLcIHf7QQ6DBIlLXuAuVHQtWW9b06q64kBElkEwh6gP5Ia9JrR
ysGbu2U6NRP+xBU33dVwZjF07ocN9Pp392W4VxEc+g3+FkRzUEaahDGOabmjgKuq
DdlKdZLzgJj7+9sEKpb7+FdG56rZAgMBAAECgZsCkK1Z1XTUz5x3m7PMuHEiVaKS
yk/B4ISq6pbO/gxpieARzhR038wNug6L+8VA8UDebXHBvGYYr9Mhb2OZUfIlr+nW
h7kmHZ+T88M3eH/hQc3jtnvnu1dGmMlIXjTLQOrKgrAn6fYaw2HAGPdGKjpatAy/
3vRjguv/22pNJLRQmMHdozJdc8mEYY+AhqrQxXCWQT/1peZzlq/IAQJOAfhE2YWf
qB9iYNmuhxJ1PolPW4I63atXuoavqadbaRoaLm/pqLVB1QjMeyak8O/0TmO6CXk6
878ps85fLFgARRjSYX+rYwoYNzqxK3cBAk4Bsy4oofReVT8xB+7rFZFMV4McyL7e
sOABFqecLuNIGT6CdeEU1z7TUfq8sKM1MQ25e0J1PMmoWTqDwzhnxK+ckeFsZ8Te
dgqVW+Oyy9kCTgHqyc/P/uEZkp1ioDu0WkpAR+1vZa2jeyH+vm9nhE9Z6Uty/r6F
k4otIx9lMDmTwXqeE03vINJlJshqvjShfbnCe9gK8xrUk1cFl7QPAQJOATD3LQRq
At2MniioFtiTbUN6n2ZS1C5xnHGq3fnBzxnZw4UmSfuZjG/L3gWPKkyJCK3HYe9K
ho6ZQhNB6P5d7sQQjG6f+SIRwp+VjwvpAk4AnM4do54FETeLHhY4zy47dM/zdy3u
iDjiFwoMTR+PfF03evsWe5pW3EaXolGi3FRAZ/idFA+L3Gi2y4xR44z71HkbF32L
WKaLdOuBQvI=
-----END RSA PRIVATE KEY-----
-----BEGIN DH PARAMETERS-----
MEYCQQD+KCcagSasA1QSo8tRXpbaLJJ1Ezt3FJFEZ3RVplp4qZwXQpSZ+Vly3xWx
q3YvALe/enMbIq8F3OUmppq3UHwTAgEC
-----END DH PARAMETERS-----

Now that's fixed, re-run the test:

********* System characteristics ********
* curl 7.16.2 (i686-pc-linux-gnu)
* libcurl/7.16.2 OpenSSL/0.9.8d zlib/1.2.3 c-ares/1.3.1 libidn/0.6.5
libssh2/0.14
* Features: AsynchDNS IDN Largefile NTLM SSL libz
* Host: atr2
* System: Linux atr2 2.6.20.4 #2 Sat Apr 7 08:32:29 EDT 2007 i686 GNU/Linux
* Server SSL: ON
* libcurl SSL: ON
* libcurl debug: OFF
* valgrind: OFF
* HTTP IPv6 OFF
* FTP IPv6 OFF
* HTTP port: 8990
* FTP port: 8992
* FTP port 2: 8995
* FTPS port: 8993
* HTTPS port: 8991
* TFTP port: 8997
* SCP/SFTP port: 8999
* SSL library: OpenSSL
* Libtool lib: ON
*****************************************
HTTPS server: /usr/sbin/stunnel /usr/local/src/curl-7.16.2/tests/stunnel.conf
test 301...[HTTPS GET with user and password]
-d-p-e-- OK (1 out of 1 , remaining: 00:00)
TESTDONE: 1 tests out of 1 reported OK: 100%
TESTDONE: 1 tests were considered during 9 seconds.

Openssl can make DH parm's, and actually this is what stunnel does during its
install during 'make install' if you watch closely.

OpenSSL> gendh

Generating DH parameters, 512 bit long safe prime, generator 2
This is going to take a long time
...........................................................................+......................................................................................+...................................+.............+....................+.........+.......+....+.......................................................................................................................+.......+..........+....................+..............+....+..........+........++*++*++*++*++*++*
-----BEGIN DH PARAMETERS-----
MEYCQQDc8dnzSJodFOJStolXylDlhwrIDScZ+tutASEWvUqhAp4HqX/Zcy69ix/d
4aTzuTpOf8Yboz1gal3yXGdzWEsDAgEC
-----END DH PARAMETERS-----

OpenSSL>
Received on 2007-04-13