HOWTO use Stunnel with GOST
Russian GOST (ГОСТ) cryptography is not supported out of the box by most common applications used on Linux and Mac OSX. This turns out to be a problem when you have to access SSL/HTTPS sites that use GOST cryptography. This HOWTO describes in a few steps how to use stunnel to circumvent that problem.1- Installing OpenSSL
First of all, download the latest version of OpenSSL 1.0.0 or 1.0.1 on OpenSSL site.Then extract it, and compile it, by typing the following. On Mac OSX:
./Configure shared zlib enable-rfc3779 --prefix=~/ssl darwin64-x86_64-cc make make installOn Linux:
./config shared zlib enable-rfc3779 --prefix=~/ssl make make install
2- Installing stunnel
First, download the latest version of stunnel on stunnel site. Then extract it, and apply this small patch (this is for version 4.35, you might need to adapt):
--- src/ssl.c.orig 2011-04-02 23:04:50.000000000 +0200
+++ src/ssl.c 2011-04-02 23:05:10.000000000 +0200
@@ -275,6 +275,7 @@
return "Selecting default engine failed";
}
s_log(LOG_DEBUG, "Engine %d initialized", current_engine+1);
+ SSL_library_init();
return NULL; /* OK */
}
For stunnel version 5.00, the patch is the following:
--- stunnel-5.00/src/options.c 2014-03-06 03:25:52.000000000 +0400
+++ stunnel-5.00new/src/options.c 2014-03-26 18:32:30.008988547 +0400
@@ -2869,6 +2869,10 @@
}
s_log(LOG_INFO, "Engine #%d (%s) set as default for %s",
current_engine+1, ENGINE_get_id(engines[current_engine]), list);
+ if (!strcmp(ENGINE_get_id(engines[current_engine]),"gost")) {
+ s_log(LOG_INFO, "GOST engine detected: Initializing SSL Library");
+ SSL_library_init();
+ }
return NULL;
}
Afterwards, compile it and install it by typing the following:
./configure --with-ssl=~/ssl/ --prefix=~/stunnel --disable-libwrap make make install
3 - Configuring Stunnel: client mode
Finally, create the configuration file in ~/stunnel/etc/stunnel/stunnel.conf , and put the following inside:sslVersion = TLSv1 socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 compression = zlib engine = gost # uncomment below for stunnel 5.00 #engineDefault = ALL client = yes [test] accept=127.0.0.1:1234 connect=_remote_server_:443You can try with, for instance, _remote_server_=ca.cryptocom.ru .
Now everything should work, just start stunnel and access to the site by pointing your usual web browser at the address http://127.0.0.1:1234/ .
To start stunnel, on Mac OSX type:
export DYLD_LIBRARY_PATH=~/ssl ~/stunnel/bin/stunnelOn Linux type:
export LD_LIBRARY_PATH=~/ssl ~/stunnel/bin/stunnelOf course, all this can be refined, for instance by positioning CAfile variable inside the configuration file.
4- Configuring Stunnel: server mode
If you want to use stunnel the other way, that is use it to turn your HTTP Server (Apache, lighttpd, ...), you will first need to have your server listen only on 127.0.0.1:80, and use the following configuration file for stunnel:sslVersion = TLSv1 socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 compression = zlib engine = gost # uncomment below for stunnel 5.00 #engineDefault = ALL ; Place here your GOST certificate and Private Key cert = /etc/ssl/certs/stunnel_cert.pem key = /etc/ssl/certs/stunnel_key.pem [https] accept=_public_ip_:443 connect=127.0.0.1:80 ciphers = GOST2001-GOST89-GOST89Please note that this method is good only for testing. For production environment, you most probably need certified version, such as MagPro Tunnel.