stunnel-users January 2021

stunnel-users@stunnel.org

8 participants
11 discussions

Requests to cloud server that requires host header
by Lorne Kates 13 Nov '24

13 Nov '24

(related to Akamai message from before-- but I have better troubleshooting information). I'm tying to route traffic through stunnel to a "cloud" based-endpoint. That endpoint has a static server name-- test.authorize.net. (This is the dev sandbox for auth.net). But if you do an nslookup on test.authorize.net, you'll get back a different servername and IP, because it's so wonderfully "cloud". Stunnel apparently tries to connect to the nslookup value. The server rejects the request because … [View More]

4 3

Re: [stunnel-users] CPU 100%
by Eric Eberhard 06 Nov '24

06 Nov '24

Long ago I had a server with a bad network card. Every once in a while it would spew uncontrollable bytes onto the network. If you open a stunnel connection and it does that this could very well be the problem. If it cheap, try changing the network card. If not, you should be able to look in your firewall/router and it will tell you who is sending what bytes to whomever. See if that machine is indeed streaming the bytes in massive quantities. If not, I would suspect your stunnel is … [View More]getting stuck in it's own loop. There are a million reasons this can happen (well a few less than a million) - such as maybe a bad library in the FreeBSD or a bad choice in the Makefile - such as doing threads or something in a way your O/S does not like (I use threads=fork or whatever it is, instead of actual threading). You might tinker with some of the options that make the stunnel build and try different ones. Especially if stunnel was compiled on a different version of the O/S - could be differences in bytes in things and who knows what. That is all I can suggest beyond setting the debug level to 7 (I think is highest) and then watching the log file. Eric From: stunnel-users [mailto:stunnel-users-bounces@stunnel.org] On Behalf Of Murrey, Brian J. Sent: Wednesday, October 17, 2018 10:57 AM To: stunnel-users(a)stunnel.org Subject: [stunnel-users] CPU 100% We are running stunnel 5.49 on FreeBSD 11.2 and we're running into a problem once in a while. CPU pegs at 100% when we get an stunnel connection from one of our external devices. This affects 100% of all cores and we can't even log in to console. To mitigate this temporarily, we have a script running in the background to watch when stunnel begins to spike and restarts the daemon. It doesn't happen 100% of the time, and so far I have been unable to distinguish what makes the connection do this to the CPU. Have any of you run in to this issue? Sincerely, Brian Murrey System Engineer II, IT Infrastructure _____ NOTICE: This message may contain privileged and confidential information and/or protected health information intended solely for the use of the named recipient and may be privileged or otherwise protected by law. If you are not the intended recipient of this message, you should immediately notify the sender and delete this message. Do not disseminate, reproduce, or review this message or attachments if you are not the intended recipient. The sender or others may have legal rights restricting the dissemination of the information contained in this message and, as a result, remedies against you in the event of the improper dissemination of confidential information, trade secrets, personal information or privileged communications. This message is the work of the sender and does not necessarily reflect the position, views, or policies of TriMedx LLC or its affiliates. WARNING: The integrity and security of this message cannot be guaranteed and may contain or transmit a virus or other illicit code. Neither TriMedx LLC or its affiliates accept liability for any damage attributable to viruses or illicit code transmitted through this message or an attachment. [View Less]

2 1

older browsers, stunnel and privoxy
by kovacs janos 04 Mar '24

04 Mar '24

sorry to bother, im trying to make older browsers be able to display TLS 1.1 and TLS 1.2 sites. i heard stunnel cant be configured to always forward to the current site address dynamically, thats why i would use privoxy. the browser is configured to send to: 127.0.0.1 443 stunnel config has this at the end: [Tunnel_in] client = yes accept = 127.0.0.1:443 connect = 127.0.0.1:8118 verifyChain = yes CAfile = ca-certs.pem checkHost = localhost 127.0.0.1:8118 is the privoxy address. this is what … [View More]

8 41

TPM based mutual tls authentication
by Nyiri, Gabor (Nokia - HU/Budapest) 07 Nov '23

07 Nov '23

Hi, Can you help me how to configure stunnel client to use TPM for mutual TLS authentication? I want to connect with mTLS to a remote server then make this connection available for localhost without mTLS. Thanks for your help in advance! Here is my configuration so far without TPM: debug = debug output = /tmp/stunnel.log foreground = yes [mtls_client] client = yes accept = 127.0.0.1:12019 sni = server-with-mtls.example.com checkHost = server-with-mtls.example.com connect = 1.2.3.4:443 … [View More]

2 1

Seeing Message in Plain Text in Wireshark
by David Brower 28 Jan '21

28 Jan '21

First time user of Stunnel and I just wanted to check what I'm doing wrong. I have two processes running: a TCP Listener that listens on port 13000 and a TCP client that sends it a message. I'm running Stunnel on Windows 10 with the following config: [myapp] client = yes accept = 13001 connect = 13000 cert = stunnel.pem TIMEOUTclose=0 I updated the TCP client to send the message to port 13001 but when I check Wireshark I can still see the contents of the message in plaintext. Shouldn't I no … [View More]

3 2

Stunnel intercept and modify payload
by Sealside - 26 Jan '21

26 Jan '21

Hi! I'm wondering if it is possible to modify payload before it is encrypted? I have a stunnel config which intercepts TLS. I have the following config: [server] client = no cert= /etc/stunnel/stunnel.pem accept = 127.0.0.1:11010 connect = 127.0.0.1:12220 [client] client = yes accept = 127.0.0.1:12220 connect = remoteserver_ip:12222 So when posting TLS messages on port 11010 from my TLS-client on the same server, I can connect to port 12220 using tcp-dump and read the payload unencrypted. … [View More]

1 0

Poss Memory Leak
by Danny Clowes 25 Jan '21

25 Jan '21

Hi, Using the latest build of S'tunnel getting this error when do systemctl status stunnel4 can anyone shed some light on this please using Debian 9 as unable to get Debian 10 work with Stunnel. Jan 25 17:30:38 mobile-connection-server stunnel[16656]: LOG4[508179]: Possible memory leak at ../ssl/packet_locl.h:385: 1021646 allocations Jan 25 17:30:38 mobile-connection-server stunnel[16656]: LOG4[508091]: Possible memory leak at ../ssl/packet_locl.h:385: 1021646 allocations Jan 25 17:30:38 … [View More]

1 0

installation v run ad-hoc
by Andrew Zenz 21 Jan '21

21 Jan '21

Hi there, a bit of background to start. We are using SEE4C (from marshallsoft.com) for sending email from our application, and have been for some time. We call various functions from their see32.dll. It has been sitting on the back-burner for some time, but now we must implement TLS/SSL for outgoing mail. MarshallSoft don't do TLS/SSL themselves, instead passing that responsibility on to stunnel by way of an internal function I have been reading MarshallSoft's doco and find … [View More]

1 0

Why the version of Client Hello is always TLS 1.0 ?
by liuyongjiao＠synqnc.com 13 Jan '21

13 Jan '21

Hi, Why the TLS version is always 1.0 ? Please help to check. Frame 11: 1721 bytes on wire (13768 bits), 1721 bytes captured (13768 bits) Ethernet II, Src: fa:16:3e:53:dc:2f (fa:16:3e:53:dc:2f), Dst: IETF-VRRP-VRID_02 (00:00:5e:00:01:02) Internet Protocol Version 4, Src: 10.160.8.11, Dst: 10.160.130.34 Transmission Control Protocol, Src Port: 50692, Dst Port: 9002, Seq: 1, Ack: 1, Len: 1655 Transport Layer Security TLSv1 Record Layer: Handshake Protocol: Client Hello Content Type: … [View More]Handshake (22) Version: TLS 1.0 (0x0301) Length: 1650 Handshake Protocol: Client Hello Handshake Type: Client Hello (1) Length: 1646 Version: TLS 1.2 (0x0303) Random: fd7cbf2da8172c362ebd3120b2dcd3886f3015eabfb5f167… Session ID Length: 32 Session ID: 4ea202f00bd35c102c97e8621f68e33dd59ad8ee95a58a2f… Cipher Suites Length: 170 Cipher Suites (85 suites) Compression Methods Length: 1 Compression Methods (1 method) Extensions Length: 1403 Extension: server_name (len=18) Extension: ec_point_formats (len=4) Extension: supported_groups (len=28) Extension: session_ticket (len=1296) Extension: signature_algorithms (len=32) Extension: heartbeat (len=1) Following are the config file: ;************************************************************************** ; * Global options * ; ************************************************************************** ; It is recommended to drop root privileges if stunnel is started by root ;setuid = stunnel4 ;setgid = stunnel4 ; PID file is created inside the chroot jail (if enabled) pid = /home/stunnelnew.pid ; Debugging stuff (may be useful for troubleshooting) ;foreground = yes ;debug = info debug = debug output = /home/log/stunnelnew.log ;options = NO_SSLv2 ;options = NO_SSLv3 ;options = NO_TLSv1 ;options = NO_TLSv1.1 ;sslVersionMax = TLSv1.2 ;sslVersionMin = TLSv1.2 ; ************************************************************************** ; * Service definitions (remove all services for inetd mode) * ; ************************************************************************** [xxxxxxxxxxxx] ;socket = a:SO_REUSEADDR=no retry = yes ;options = NO_SSLv2 ;options = NO_SSLv3 ;options = NO_TLSv1 ;options = NO_TLSv1.1 sslVersion = TLSv1.2 ;socket = l:SO_LINGER=1:13 ;sslVersionMin = TLSv1.2 cert = /home/x/ssltest/x/server.cer key = /home/x/ssltest/x/server_key.pem CAfile = /home/x/ssltest/x/trust.cer client = yes accept = 31115 connect = 10.160.1.11:9113 liuyongjiao(a)synqnc.com [View Less]

1 0

stunnel to gmail didn't work
by wangweihsiang1109＠gmail.com 09 Jan '21

09 Jan '21

Hello,I have set up a website,and I want to send email by gmail,so I used stunnel,but my gmail didn't send anything. 2021.01.08 15:01:58 LOG5[14]: Service [gmail-smtp] accepted connection from 127.0.0.1:59920 2021.01.08 15:01:58 LOG5[14]: s_connect: connected 2404:6800:4008:c06::6d:587 2021.01.08 15:01:58 LOG5[14]: Service [gmail-smtp] connected remote server from 2001:b011:e:3358:b5b1:fa68:8b3:883c:59921 2021.01.08 15:01:59 LOG5[14]: Connection closed: 22 byte(s) sent to TLS, 154 byte(s) sent … [View More]

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

stunnel-users January 2021