cyassl-1.4.0 and stunnel-4.31

  • stevef


    I can't seem to get stunnel-4.31 to compile against cyassl-1.4.0.
    As per README file, I compiled cyassl-1.4.0 with:

    ./configure --disable-shared --enable-opensslExtra --enable-fastmath --without-zlib
    make openssl-links

    And compiled stunnel-4.31 with:

    ./configure --with-ssl=/root/diablo/cyassl/cyassl-1.4.0 

    I get these errors:

    prototypes.h:115: error: expected specifier-qualifier-list before ‘ENGINE’
    prototypes.h:278: error: expected ‘=’, ‘,’, ‘;’, ‘asm’ or ‘__attribute__’ before ‘*’ token

    I played with <cyassldir>/include/openssl/engine.h
    and added "#undef HAVE_OSSL_ENGINE_H", thinking that cyassldir's  "#undef HAVE_OPENSSL_ENGINE_H" was a typo.
    That got me a step further, but I ended up with a bunch of errors relating to incomplete type:

    ctx.c: In function ‘sess_new_cb’:
    ctx.c:402: error: dereferencing pointer to incomplete type
    ctx.c:403: error: dereferencing pointer to incomplete type
    ctx.c:403: error: dereferencing pointer to incomplete type
    ctx.c: In function ‘sess_get_cb’:

    Upon inspection, I don't see SSL being completely defined anywhere in the openssl compatibility API.
    Am I missing something?

    Just for sanity, I downloaded the stunnel-cyassl.tar.gz file and tried to get that to compile but ended up with the same errors. How did you get that to compile?

  • Todd Ouska
    Todd Ouska

    Hi,  I just built CyaSSL 1.4.0 with stunnel 4.31, steps:

    For CyaSSL
    1) ./configure -disable-shared -enable-opensslExtra -enable-fastmath

    -without-zlib is no longer needed as it is now off by default

    2) make
    3) make install

    may need sudo make install, default is /usr/local/cyassl

    For stunnel
    1) ./configure -with-ssl=/usr/local/cyassl
    2)  Makefile changes
        a)  remove def for HAVE_OSSL_ENGINE_H=1,  needs to be cleaned up
        b)  change -lssl -lcrypto to -lcyassl  (ideally should work without this change but sometimes system openssl is picked up first and causes linker problems)

    3) Move two definitions out of version #ifdef in prototypes.h since stunnel uses them whether defined or not
        a) ocsp_addr
        b) ocsp_path
         These are both in LOCAL_OPTIONS and can just be moved a couple lines above the SSLEAY_VERSION_NUMBER , needs to be cleaned up

    4)  comment out all calls to cache_transfer() in ctx.c since CyaSSL handles these internally and because CyaSSL uses opaque typedefs that aren't defined at the API level (only internally),  needs to be cleaned up - use function calls instead of deference.

    Potentially the DEFAULT_STACK_SIZE may need to be increased when using fastmath.  On OS X for example, a value of 90,112 fixes stack corruption.

    Let me know if you have any questions.  I'll submit a request to have these changes placed in a new stunnel so that CyaSSL can be used without changes.

  • stevef

    Thank you touska. Got it to compile with those instructions.

    I would like to get the cache_transfer() working to get remote session caching. All it needs is to be able to get access to ssl->ctx, but the SSL structure is not completely defined at that point in ctx.c.  I notice that the SSL typedef is defined in <cyassldir>/include/cyassl_int.h, but is not included in any of the openssl compatibility layer include files. Manually including cyassl_int.h  would just throw up errors.

  • Todd Ouska
    Todd Ouska

    Glad it worked, forget to mention commenting out print_stats() too but it looks like you figured that out.

    It's not quite as simple as just exposing the CTX pointer in SSL.  SSL_SESSION has a couple of dereferences too, session_id and session_id_length.  And every app that's ported has a couple more…

    yaSSL started with the goal of the most basic API functions compatibility.  Not source and type compatibility which was impossible anyway since yaSSL is in C++.  It also gives the user less ways to shoot themselves in the foot.  CyaSSL continued this and I believe leaving the type definitions internal is the correct choice.  Especially since OpenSSL types are supposed to be used as if the type is incomplete, i.e., dereferencing isn't needed since API calls exist to retrieve those values.  In this case, SSL_get_SSL_CTX() and SSL_SESSION_get_id() provide the 3 values (get_id gets both the session and length).  Adding those to CyaSSL and getting stunnel to use them is just a matter of coordination.

    I'm not sure a remote session cache is a great idea.  That's exposing the master secret to the wire (or even wireless).  Anyone with the master secret can decode the entire session.  Seems like a lot of risk.  What's wrong with CyaSSL's internal cache?  I guess I'm asking why is a remote session cache important?

  • Oliver Metz
    Oliver Metz

    Is there a patched version of stunnel-4.31 with cyassl support available? Or can anbody of you provide a patch?

  • Oliver Metz
    Oliver Metz

    Okay, my colleague was faster. If anybody is interested the patches can be found here:

    However not all of them are related to this topic. You should provide the environment variable "OPENSSL_ALTERNATIVE=cyassl" during configure to get it running.