[ Editor's Note: Markus supplied two patches, one for Stunnel (kerberos_mm.patch) and one for OpenSSL (kerberos_mm-openssl.patch). You likely need both. The WML used to generate this page wasn't set up to handle more than one patch file, so you'll need to find the openssl patch in the patches directory manually. ] To: stunnel-users@mirt.net Date: Thu, 20 Mar 2003 18:10:48 +0000 From: Markus Moeller Subject: Stunnel with openssl 0.9.7/Kerberos The attached patch allows the use of stunnel with the latest openssl and MIT Kerberos. The cipher has to be set to something like KRB5-DES-CBC-MD5 and the keytab has to contain a ticket for a "kssl" service on the stunnel server host. You need to do a kinit on the stunnel client host. Markus ########################################################################################################### Date: Tue, 1 Apr 2003 09:41:14 +0000 From: Markus Moeller Subject: Patch for stunnel. This is patch for stunnel-4.04 to add openssl with Kerberos support (MIT only). This patch requires Openssl 0.9.7a libraries with MIT Kerberos enabled and the attached openssl patch to allow the change of the credential cache. If a new connection is made to the stunnel client, the stunnel client requests a ticket with a lifetime defioned by krb5lifetime and stores it in the credential cache defined in krb5ccache (Note a the process if is added to have different credentials per forked process). After the preiod of krb5lifetime a new ticket is requested meaning a change of the encryption key. The cipher has to be one of: EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC4-MD5:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC4-S HA:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:KRB5-IDEA-CBC-MD5:KRB5-RC4-MD5:KRB5-DES-CBC3-MD5:KRB5-DES-CBC -MD5:KRB5-IDEA-CBC-SHA:KRB5-RC4-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC-SHA After patching the source with patch -p1 < stunnel.patch use touch */Makefile.in ; sleep 2; touch Makefile.in ; touch aclocal.m4 to avoid automake reconfiguration. Use e.g. ./configure --with-ssl=/opt/openssl --with-krb5=/opt/kerberos The following config options have been added: krb5service = KRB5 service name krb5keytab = KRB5 keytab krb5client = KRB5 client name krb5lifetime = KRB5 lifetime krb5ccache = KRB5 credential cache name (without FILE: prefix and _pid postfix) Default values are: krb5keytab = /etc/krb5.keytab krb5lifetime = 300 krb5ccache = /tmp/krb5cc_stunnel The stunnel client configuration file would look like: . . krb5service = kssl krb5keytab = /home/stunnel/kssl.keytab krb5client = kssl/client_host.com@TEST.COM . . The keytab holds only the service key kssl/client_host.com@TEST.COM and NOT the default host key host/client_host.com@TEST.COM why it can be made readable for the stunnel user. The stunnel server configuration file would look like: . . krb5service = kssl krb5keytab = /home/stunnel/kssl.keytab . . Again the keytab holds only the service key kssl/server_host.com@TEST.COM and NOT the default host key host/server_host.com@TEST.COM why it can be made readable for the stunnel user. ########################################################################################################### The patch files are attached.