<div dir="ltr"><div class="1st">Hi Scott,<br><br>Thank you for your reply, however I am still
consistently 'killing' stunnel with a segfault.<br>It is very simple to
reproduce and it is consistent. I am using stunnel v.4.41 (and I am trying to
secure an RDP connection -not an http one-)<br>With or without the client mode,
I get the segfault. I tried both cases.<br><br>To 'kill' stunnel, all I do is
run the following from any machine:<br>telnet stunnel_machine 1957<br><br>---> stunnel_machine [listens on 1957] ---> remote_machine [listens on 3389]<br><br>stunnel is
configured to listen on port 1957 and forward into 3389<br>[rdps]<br>accept =
1957<br>connect = machine2:3389<br><br>In production, my deployment environment will be:<br>Java
Applet (an rdp client, not http) ---> stunnel_machine [listens on 1957]
---> machine2 [listens on 3389]<br><br>The java applet is an RDP client (not
http) which issues rdp calls that I want encrypted (hence stunnel)</div><div><br></div><div>Please advise,</div><div>Thank you</div><div><br></div><div>Yassine</div><br><div class="gmail_quote">2011/12/21 Scott Damron <span dir="ltr"><<a href="mailto:sdamron@gmail.com">sdamron@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Right...so, here is a sample config, I will add emphasis on the parts you need to make sure you have.<br><br>; Sample stunnel configuration file by Michal Trojnara 2002-2006<br>
; Some options used here may not be adequate for your particular configuration<br>
; Please make sure you understand them (especially the effect of chroot jail)<br> <br>; Certificate/key is needed in server mode and optional in client mode<br>cert = /newcert.pem<br>key = /newkey.pem<br> <br>; Protocol version (all, SSLv2, SSLv3, TLSv1)<br>
sslVersion = SSLv3, TLSv1<br> <br>; Some security enhancements for UNIX systems - comment them out on Win32<br>chroot = /var/lib/stunnel4/<br>setuid = stunnel4<br>setgid = stunnel4<br>; PID is created inside chroot jail<br>
pid = /stunnel4.pid<br>
<br>; Some performance tunings<br>;socket = l:TCP_NODELAY=1<br>socket = r:TCP_NODELAY=1<br>;compression = rle<br> <br>; Workaround for Eudora bug<br>;options = DONT_INSERT_EMPTY_FRAGMENTS<br> <br>; Authentication stuff<br>
;verify = 2<br>; Don't forget to c_rehash CApath<br>; CApath is located inside chroot jail<br>;CApath = /certs<br>; It's often easier to use CAfile<br>;CAfile = /etc/stunnel/certs.pem<br>; Don't forget to c_rehash CRLpath<br>
; CRLpath is located inside chroot jail<br>;CRLpath = /crls<br>; Alternatively you can use CRLfile<br>;CRLfile = /etc/stunnel/crls.pem<br> <br>; Some debugging stuff useful for troubleshooting<br>debug = 7<br>output = /var/log/stunnel4/stunnel.log<br>
<br><font color="#6666cc">; Use it for client mode<br>client = yes</font><br> <br>; Service-level configuration<br> <br>;[pop3s]<br>;accept �= 995<br>;connect = 110<br> <br>;[imaps]<br>;accept �= 993<br>;connect = 143<br>
<br>;[ssmtp]<br>;accept �= 465<br>;connect = 25<br> <br>[https]<br><span style="background-color:rgb(51,255,51)">accept �= <a href="http://10.32.75.46:443" target="_blank">10.x.x.x:443</a><br>connect = <a href="http://10.32.75.46:443" target="_blank">11.x.x.x:443</a></span><div>
; here you need to have an IP address for each accept and connect, as well as a port. �If you are connecting to localhost, put 127.0.0.1.<br>;TIMEOUTclose = 0<br>
<br>; vim:ft=dosini<div><div class="h5"><br><br>On Wed, Dec 21, 2011 at 12:26 PM, yassine ayachi <<a href="mailto:ayachi.yassine@gmail.com" target="_blank">ayachi.yassine@gmail.com</a>> wrote:<br>> Hi Scott,<br>
><br>> I am not quite sure to understand your answer. Let me add some more info to<br>
> make it clear onto how I get the segfault.:�<br>><br>> A java applet (from web browser) is invoking the stunnel machine on the port<br>> 1957�stunnel then redirects the traffic into the remote_machine, so�I only<br>
> have the server stunnel portion installed (in the stunnel machine ).<br>><br>> when I run a telnet on any machine connected to the internet this way:<br>> telnet stunnel_machine 1957<br>> the stunnel on the stunnel machine dies...with the error posted previously.<br>
><br>> Greetings,<br>> --<br>> Yassine<br>><br>> 2011/12/21 Scott Damron <<a href="mailto:sdamron@gmail.com" target="_blank">sdamron@gmail.com</a>><br>>><br>>> You need to have an IP address for the local connection and you need<br>
>> the client portion enabled as well.<br>>><br>>> Scott<br>>><br>>> On Wed, Dec 21, 2011 at 10:51 AM, yassine ayachi<br>>> <<a href="mailto:ayachi.yassine@gmail.com" target="_blank">ayachi.yassine@gmail.com</a>> wrote:<br>
>> > Hi all,<br>>> ><br>>> > I'am trying to encrypt a connection between two hosts using stunnel.<br>>> > ----- here is my config file ----<br>>> > cert = /usr/local/etc/stunnel/stunnel.pem<br>
>> > chroot = /usr/local/var/lib/stunnel/<br>>> > setuid = nobody<br>>> > setgid = nogroup<br>>> > pid = /stunnel.pid<br>>> > socket = l:TCP_NODELAY=1<br>>> > socket = r:TCP_NODELAY=1<br>
>> ><br>>> > debug = debug<br>>> > output = stunnel.log<br>>> > ---<br>>> > [rdps]<br>>> > accept = 1957<br>>> > connect = remote_machine:3389<br>>> ><br>
>> > Avery think was working fine until I tried to telnet to the port 1957 on<br>>> > the<br>>> > machine running stunnel, the process stunnel was killed alone leaving<br>>> > this<br>
>> > in /var/log/messages :<br>
>> ><br>>> > Dec 20 16:58:01 alpha kernel: [4930384.164316] stunnel[14540]: segfault<br>>> > at 8<br>>> > ip b7629b61 sp b758d16c error 6 in <a href="http://libc-2.7.so" target="_blank">libc-2.7.so</a>[b75bd000+138000]<br>
>> ><br>>> > Does anybody have an idea about this problem,<br>>> ><br>>> > thanks in advance,<br>>> ><br>>> > Yassine<br>>> ><br>>> ><br>>> > _______________________________________________<br>
>> > stunnel-users mailing list<br>>> > <a href="mailto:stunnel-users@stunnel.org" target="_blank">stunnel-users@stunnel.org</a><br>>> > <a href="http://stunnel.mirt.net/mailman/listinfo/stunnel-users" target="_blank">http://stunnel.mirt.net/mailman/listinfo/stunnel-users</a><br>
>> ><br>><br>><br>><br>><br>><br><br>
</div></div></div>
</blockquote></div><br><br clear="all"><div><br></div><br>
</div>