Hello,
I've upgraded to stunnel 4.10 yesterday and since this time I can't
managed to get stunnel working with xinetd. I try to access a CVS server
with ssl encryption. If stunnel is started as stand-alone, it works as
before, but when it's started by xinetd all I get is:
cvs [update aborted]: reading from server: Connection reset by peer
I've attached the connection logs with 4.09 and 4.10 as well as my
configuration file (which used to work for more than a year). My xinetd
is version …
[View More]2.3.13 (and I haven't changed it for several months).
Please, let me know if I'm overlooking at something or if I can try
anything to debug more in depth...
Thanks in advance,
Eric
PS: actually the CVS is accesible from outside, so you might want to try
yourself!
# Sample stunnel configuration file
# Copyright by Michal Trojnara 2002
setuid = root
setgid = root
# Authentication stuff
verify = 2
CAfile = /etc/ssl/stunnel/lifl-cvs.pem
# Use it for client mode
client = yes
#debug = 7
#output = /home/eric/busy/stunnel.log
connect = cvs.lifl.fr:2405
[View Less]
On a Windows 2000 machine I always get the following error when I try to
start stunnel (4.11):
Error resolving 'x.y.z.23': Neither nodename nor servname known
(EAI_NONAME)
The client should connect to a server using SSL. x.y.z.23 is a static IP
address of the client. The client has multiple IP addresses and stunnel
should use this one to connect to the server.
Contents of stunnel.conf:
client=yes
[service]
local=x.y.z.23
accept=12345
connect=server:12345
Why does stunnel try to "resolve" …
[View More]this IP? Is the configuration correct?
Thanks for your help!
Oliver
[View Less]
Hi,
I am thinking about adding ftp protocol support to stunnel4. first, some
restrictions to simplify the implimentation:
1) only support for stunnel running in server mode, users can use ftp
clients which support ssl connection (ie. FlashFXP) to connect to the
real ftp server through stunnel daemon;
2) only support standalone service mode of stunnel. (inted support may
be added later, I've just read the source code related to standalone
service, and have not got any clue about how to support …
[View More]inetd.)
3) only support FTP implicit SSL and PASSIVE mode;
the code may look like this: (the real ftp server is at 192.168.10.254,
listening on port 21.)
1) start a stunnel daemon nonmally with accept = 990, remote =
192.168.10.254:21, protocol = ftp;
2) when a connection come in, parse the ftp server response, search for
"227 Entering Passive Mode (192,168,10,254,133,22)", then got the data
connection IP: 192.168.10.254 PORT: 34070;
3) plus 1 to the data connction port 34070, then we got 34071 which will
be used as stunnel accept port;
4) create a LOCAL_OPTIONS
structure instance opt (prototypes.h) dynamically, set opt->accept=1,
opt->local_addr same to the parent stunnel, change its port to 34071,
opt->remote_addr = real data connection (IP: 192.168.10.254 PORT:
34070); opt->fd = socket(), bind();
5) set local_option->next = opt;
6) s_poll_add (&fds, opt->fd, 1, 0); (stunnel.c) (the local variable fds
needs to be changed to a global variable, by the way, I think it is also
required if stunnel want real SIGHUP configuration-on-the-fly support)
7) changed server response to "227 Entering Passive Mode
(STUNNEL_LOCAL_HOST,133,23)", then send back to client.
8) the client will then connect to STUNNEL_LOCAL_HOST port = 34071,
negotiate SSL session and send/receive data;
9) after ftp session finished (How to know a ftp session is finished?),
free the dynamic LOCAL_OPTIONS opt, remove opt->fd from fds, close the
data sessoin.
There are only two source file (stunnel.c, protocol.c) need to be
modified to implement these functions.
Any suggestions will be appreciated.
Thank you.
Zhuang Yuyao
2005/7/28
[View Less]
Hi,
I am new to stunnel and Linux. I am trying to set up a
secure connection to a server which can be accessed from
any web browser on a designated port. I need to be able to
access a web browser server administration interface, this
is over http, I need to make this an https connection. I
have compiled and installed stunnel on a Linux machine
(FC4) but can't seem to get any response from it or make
it work. If anyone can explain, step by step, how to
configure stunnel for general …
[View More]https usage, it would be
greatly appreciated. I have looked through the
documentation but I have not been able to get it to work.
I have also noticed that webmin supports stunnel but there
is nothing in it.
I added this to the conf file:
[https]
accept = 8080
connect = 28477
TIMEOUTclose = 0
Thanks
[View Less]
As y'all can probably see, I've started climbing out from the
rock under which I've been living (the rock called "too many
kids".)
If there are folks who have issues or bugs in stunnel 3.x,
let's get talking off list so we can make another release.
I'd like to include only security or bug fixes. The 4.x
branch is totally fine, and I see no reason to add new
features to the 3.x branch.
This would be one of at most a few last bug fix releases
for the 3.x branch so I can lay it to rest.
--
…
[View More]Brian Hatch "Look, somebody's got to have
Systems and some damn perspective around
Security Engineer here. Boom, sooner or later.
http://www.ifokr.org/bri/ *BOOM*!"
Every message PGP signed
[View Less]
Hi all,
I've got two two LANs behind masquerading routers that I've linked via a
stunnel + pppd vpn. When it works, it works, but I've got a couple of
problems - has anybody out there in Stunnel Land managed to fix / workaround
these?
1) The connection goes down fairly regluarly.
I've setup a cron job to move a few packets back and forth to make sure that
the ADSL connection at both ends stays up (pppd set not do demand stuff).
There's nothing in the logs to suggest that the ADSL *is* …
[View More]going down, but I
thought it would eliminate a lot of possibilities. (see log entries below).
Currently the link is going down at lesat once per day. Uptime varies
greatly.
I can't see anyway of asking stunnel to try again if the pppd exits (see conf
below) other than manually restarting it.
I'm hoping to scale the VPN up to multiple sites - with one connection, I can
just do /etc/rc.d/stunnel restart - but if I've got multiple instances of
stunnel running with different configs it gets a bit messy to reset a single
connection. I did think about having multiple hard links to the stunnel
binary, so each VPN will have a different process name attached to it, but
this strikes me as a bit of a hack.
2) bandwidth on the link is poor.
I consistently get 1/4 of the bandwidth (measured using scp to copy largish
files) compared with bypassing the stunnel/pppd pair (same route between
LANs). While I expected some overhead, this seems rather a lot.
3) latency is a lot higher too
4) The VPN seems to stutter more regularly than the direct connection
...I mean that I don't seem to be getting any traffic for 5-10 seconds then it
resumes without any loss of data (e.g. when using ssh).
The routers at either end are relatively dumb so (as I understand it) there's
not many options for using IPIP or GRE tunnelling).
Anybody got any suggestions as to how I can make it (particularly) more
reliable and (also) a bit faster?
TIA,
Colin McKinnon
pppd
--------
pppd local nodeflate nobsdcomp nodefaultroute 10.1.17.208:10.1.20.202
log entries:
----------------
Stunnel started manually:
Jul 19 08:25:59 serv8 stunnel[740]: stunnel 4.05 on i686-suse-linux-gnu
PTHREAD with OpenSSL 0.9.7d 17 Mar 2004
Jul 19 08:25:59 serv8 stunnel[740]: FD_SETSIZE=1024, file ulimit=1024 -> 500
clients allowed
Jul 19 08:25:59 serv8 pppd[743]: pppd 2.4.2 started by stunnel, uid 100
Jul 19 08:25:59 serv8 pppd[743]: Using interface ppp0
Jul 19 08:25:59 serv8 pppd[743]: Connect: ppp0 <--> /dev/pts/1
Everything works fine (although a little slow) then...
Jul 19 10:36:32 serv8 pppd[743]: No response to 4 echo-requests
Jul 19 10:36:32 serv8 pppd[743]: Serial link appears to be disconnected.
Jul 19 10:36:34 serv8 pppd[743]: Script /etc/ppp/ip-down finished (pid 1668),
status = 0x0
Jul 19 10:36:34 serv8 ip-down: SIOCDELRT: No such process
Jul 19 10:36:36 serv8 pppd[743]: Connection terminated.
Jul 19 10:36:36 serv8 pppd[743]: Connect time 130.6 minutes.
Jul 19 10:36:36 serv8 pppd[743]: Sent 58200 bytes, received 57227 bytes.
Jul 19 10:36:36 serv8 pppd[743]: Connect time 130.6 minutes.
Jul 19 10:36:36 serv8 pppd[743]: Sent 58200 bytes, received 57227 bytes.
Jul 19 10:36:36 serv8 pppd[743]: Exit.
Jul 19 10:36:36 serv8 stunnel[741]: readsocket: Input/output error (5)
Jul 19 10:36:36 serv8 stunnel[741]: Connection reset: 68626 bytes sent to SSL,
66280 bytes sent to socket
Stunnel config
---------------------
foreground = no
client = yes
setuid = stunnel
setgid = dialout
CAfile = /etc/stunnel/3bCArootCert.pem
cert = /etc/stunnel/system.pem
verify = 2
session = 3600
[ppp]
connect = remotehost:2020
exec = /usr/sbin/pppd
execargs = pppd local nodeflate nobsdcomp nodefaultroute
10.1.17.208:10.1.20.202
pty = yes
(converse at other end)
Routing at 'cleint' end
---------------------------------
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.1.20.202 * 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
10.1.20.0 * 255.255.255.0 U 0 0 0 ppp0
10.1.17.0 * 255.255.255.0 U 0 0 0 eth2
loopback * 255.0.0.0 U 0 0 0 lo
default 192.168.1.1 0.0.0.0 UG 0 0 0 eth1
(eth1 conects to the ADSL router, eth2 to the LAN)
[View Less]
I was reading a book where they discussed using stunnel as client and
server proxy with -d -r and -c options. I have SuSE 9.3 and the
stunnel on it has different options. Then I found that we have to use
config file. I used it to configure my server. I defined the following
section:
[myserver]
accept = 12345
connect = 12323
Here my server listens on 12323. I have my server already running. Now
I typed stunnel and nothing happened. I typed "pgrep stunnel" and
could not see anything. Apparently …
[View More]I have not understood how stunnel
works. Can some one let me know how can I configure to use stunnel to
secure my server app and my client app which are not ssl aware.
I also have a question. The book which I am reading says, stunnel acts
as a proxy for a server app. If my server app is listening on A then
if I want stunnel to service all clients connecting to A then how can
it do it as that port is already serviced by my server app.
Thanks
JB
[View Less]
Hi all,
I would like to compile stunnel-4.11for a board based on a ATMEL at91rm9200.
I try to compile this with this commande
[root@StageIup stunnel-4.11]# CC=/usr/local/arm/3.0/bin/arm-linux-gcc
./configure --host=arm-linux
--prefix=/home/fabrice/dev/stunnel/stunnel-armtest
--with-ssl=/home/fabrice/dev/openssl
But I have the following error
configure: **************************************** PTY device files
checking for "/dev/ptmx"... configure: error: cannot check for file
…
[View More]existence when cross compiling
If any body have an idea about how to resolve this problem or how to compile
stunnel for ARM ...
Thanks
--
Cordialement
Fabrice
--
IFOTEC
Tél : 04 76 67 53 53
[View Less]
Howdy...
I'm trying to run samba over stunnel on a wireless connection. Here's the
setup:
unix box <- wifi -> windows laptop
Unfortunately, reading files from the shared drive is extremely slow.
If I look at the stunnel box on my windows machine, it is pumping out
about 20 messages/second that say:
LOG7[2140:3636]: SSL_read returned WANT_READ: retrying
On two >1GHz machines, this is utilizing about 5% of cpu, and 4% of the
11Mbps link. Clearly there is room for improvement here!
I …
[View More]tried poking around with stunnel.conf on the server to no avail -
specifically, I commented out the lines:
; Some performance tunings
socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
;compression = rle
And restarted stunnel - same miserable performance (roughly the same
throughput, and resource usage).
Is there something about the SMB protocol that would cause stunnel to not
deal with it well? If so, is there a configuration option somewhere I can
tune, or do I have to RTFS & hack it to get decent performance here?
Any tips would be greatly appreciated. Thanks in advance!
Cheers,
Brian
Brian Szymanski
Software and Systems Developer
Media Matters for America
ski(a)mediamatters.org
aim: xbrianskix
[View Less]
Hi,
I successfully installed and executed stunnel without compression and with compression RLE, but with compression ZLIB I receive the following message in the startup:
2005.07.25 08:24:28 LOG5[1408:1524]: stunnel 4.11 on x86-pc-mingw32-gnu WIN32+IPv4 with OpenSSL 0.9.7f 22 Mar 2005
2005.07.25 08:24:28 LOG3[1408:1976]: Error reading certificate file: stunnel.pem
2005.07.25 08:24:28 LOG3[1408:1976]: error stack: 25070067 : error:25070067:DSO support routines:DSO_load:could not load the …
[View More]shared library
2005.07.25 08:24:28 LOG3[1408:1976]: error stack: 25078067 : error:25078067:DSO support routines:WIN32_LOAD:could not load the shared library
2005.07.25 08:24:28 LOG3[1408:1976]: error stack: 25070067 : error:25070067:DSO support routines:DSO_load:could not load the shared library
2005.07.25 08:24:28 LOG3[1408:1976]: SSL_CTX_use_certificate_chain_file: 25078067: error:25078067:DSO support routines:WIN32_LOAD:could not load the shared library
2005.07.25 08:24:28 LOG3[1408:1976]: Server is down
I made download of archive ZLIB1.DLL in the client and in the server, the startup is normal, but after the beginning of the communications the server crash.
I use Win2000 Server SP4 in the server and Win2000 Pro in the client.
thanks
Luis A S C Junior
[View Less]