Patch info for kerberos_mm

Author Comments

[
 Editor's Note: Markus supplied two patches, one for Stunnel
 (kerberos_mm.patch) and one for OpenSSL (kerberos_mm-openssl.patch).
 You likely need both.  The WML used to generate this page wasn't set
 up to handle more than one patch file, so you'll need to find
 the openssl patch in the patches directory manually.
]


To: stunnel-users@mirt.net
Date: Thu, 20 Mar 2003 18:10:48 +0000
From: Markus Moeller <mm@mail.DeuBa.COM>
Subject: Stunnel with openssl 0.9.7/Kerberos


The attached patch allows the use of stunnel with the latest openssl and MIT
Kerberos. The cipher has to be set to something like KRB5-DES-CBC-MD5 and the
keytab has to contain a ticket for a "kssl" service  on the stunnel server
host. You need to do a kinit on the stunnel client host.


Markus


Date: Tue, 1 Apr 2003 09:41:14 +0000
From: Markus Moeller <mm@mail.DeuBa.COM>
Subject: Patch for stunnel.


This is patch for stunnel-4.04 to add openssl with Kerberos support (MIT
only). This patch requires Openssl 0.9.7a libraries with MIT Kerberos
enabled and the attached openssl patch to allow the change of the credential
cache.

If a new connection is made to the stunnel client, the stunnel client requests
a ticket with a lifetime defioned by krb5lifetime and stores it in the
credential cache defined in krb5ccache (Note a the process if is added to
have different credentials per forked process). After the preiod of
krb5lifetime a new ticket is requested meaning a change of the encryption
key. The cipher has to be one of:
EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC4-MD5:EXP-KRB5-RC2-CBC-MD5:EXP-KRB5-DES-CBC-MD5:EXP-KRB5-RC4-S
HA:EXP-KRB5-RC2-CBC-SHA:EXP-KRB5-DES-CBC-SHA:KRB5-IDEA-CBC-MD5:KRB5-RC4-MD5:KRB5-DES-CBC3-MD5:KRB5-DES-CBC
-MD5:KRB5-IDEA-CBC-SHA:KRB5-RC4-SHA:KRB5-DES-CBC3-SHA:KRB5-DES-CBC-SHA


After patching the source with patch -p1 < stunnel.patch  use touch
*/Makefile.in ; sleep 2; touch Makefile.in ; touch aclocal.m4 to avoid
automake reconfiguration.

Use e.g. ./configure --with-ssl=/opt/openssl --with-krb5=/opt/kerberos

The following config options have been added:

krb5service     = KRB5 service name
krb5keytab      = KRB5 keytab
krb5client      = KRB5 client name
krb5lifetime    = KRB5 lifetime
krb5ccache      = KRB5 credential cache name (without FILE: prefix and _pid
postfix)

Default values are:

krb5keytab      = /etc/krb5.keytab
krb5lifetime    = 300
krb5ccache      = /tmp/krb5cc_stunnel


The stunnel client configuration file would look like:
.
.
krb5service = kssl
krb5keytab = /home/stunnel/kssl.keytab
krb5client = kssl/client_host.com@TEST.COM
.
.

The keytab holds only the service key kssl/client_host.com@TEST.COM and NOT
the default host key host/client_host.com@TEST.COM why it can be made
readable for the stunnel user.


The stunnel server configuration file would look like:
.
.
krb5service = kssl
krb5keytab = /home/stunnel/kssl.keytab
.
.

Again the keytab holds only the service key kssl/server_host.com@TEST.COM and
NOT the default host key host/server_host.com@TEST.COM why it can be made
readable for the stunnel user.


The patch files are attached.

This website makes patches available for use by the Internet community. However it does not endorse any of the patches contained herein. They could be work perfectly, or totally foul up everything. We don't know. Contact the authors if you have any questions. Use at your own risk.

The Stunnel software package does not contain any cryptography itself, however please remember that import and/or export of cryptographic software, code providing hooks to cryptographic algorithms, and discussion about cryptography is illegal in some countries. It is imperative for you to know your local laws governing cryptography. We're not liable for anything you do that violates your local laws.