<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hi, ok after reading this a little bit better on the big screen vs. my phone…<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I do have debug on and I can’t run iperf on vms. (the file I posted last, was one without any modifications.)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It won’t start…<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Here is the file I’m currently using.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>$ ty STUNNEL_SERVER.CONF;<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>; Sample stunnel configuration file by Michal Trojnara 2002-2006<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>; Some options used here may not be adequate for your particular configuration<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>; Certificate/key is needed in server mode and optional in client mode<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>; The default certificate is provided only for testing and should not<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>; be used in a production environment<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>cert = stunnel.pem<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>;key = stunnel.pem<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>; Some performance tunings<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>socket = l:TCP_NODELAY=1<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>socket = r:TCP_NODELAY=1<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>; Workaround for Eudora bug<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>;options = DONT_INSERT_EMPTY_FRAGMENTS<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>; Authentication stuff<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>;verify = 2<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>; Don't forget to c_rehash CApath<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>;CApath = certs<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>; It's often easier to use CAfile<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>;CAfile = certs.pem<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>; Don't forget to c_rehash CRLpath<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>;CRLpath = crls<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>; Alternatively you can use CRLfile<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>;CRLfile = crls.pem<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>; Some debugging stuff useful for troubleshooting<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>debug = 7<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>output = stunnel.log<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>; Use it for client mode<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>client = yes<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>; Service-level configuration<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>;[pop3s]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>;accept = 995<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>;connect = 110<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>[telnet]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>accept = 992<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>connect = 23<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>client = no<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>;[ssmtp]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>;accept = 465<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>;connect = 25<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>;[https]<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>;accept = 443<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>;connect = 80<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>;TIMEOUTclose = 0<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>; vim:ft=dosini<o:p></o:p></span></p><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Rob Lockhart [mailto:rlockhar@gmail.com] <br><b>Sent:</b> Wednesday, April 08, 2015 6:38 PM<br><b>To:</b> Coviello, Paul<br><b>Cc:</b> stunnel-users@stunnel.org<br><b>Subject:</b> Re: [stunnel-users] openvms and stunnel<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><div><div><div><p class=MsoNormal>On Wed, Apr 8, 2015 at 4:47 PM, Coviello, Paul <<a href="mailto:pcoviello@ccsusa.com" target="_blank">pcoviello@ccsusa.com</a>> wrote:<o:p></o:p></p><div><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>here is the hp webpage…</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><a href="http://h71000.www7.hp.com/opensource/opensource.html#stunnel" target="_blank">http://h71000.www7.hp.com/opensource/opensource.html#stunnel</a></span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Ok so it appears the HP webpage shows a different version of stunnel than the <a href="http://h71000.www7.hp.com/opensource/stunnel_readme_axp_i64.txt">page you linked before</a> (stunnel 3). Nevertheless, if you keep having problems, I suggest starting simple and add to it one at a time, specifically try to get a stunnel client/server session on your local machine. If you can't get that working, it's going to be very difficult to debug. Speaking of debug, have you enabled the debugging options and tried running the stunnel server? You may also want to use ports above 1023 per <a href="http://www.w3.org/Daemon/User/Installation/PrivilegedPorts.html">this link</a>. Try killing the server and restarting again with logging enabled and set to 7, and have the log file point to a path for which you have write-access.The latest server log you had commented out the debug and output as well as client, but you should keep that uncommented as follows below:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><span style='font-size:9.5pt'>debug = 7<br>output = stunnel.log<br>client = no</span><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>If you can use high ports for testing (>1023) using iperf (IPERF.EXE) and that works, then you know it's something perhaps in your VAX firewall that prohibits connecting on port 23 (telnet) from another application.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Do this as follows:<o:p></o:p></p></div><div><p class=MsoNormal>1) Create a s4client.conf file with the following contents:<o:p></o:p></p></div><div><p class=MsoNormal>sslVersion=TLSv1<o:p></o:p></p></div><div><p class=MsoNormal>FIPS = no<o:p></o:p></p></div><div><div><p class=MsoNormal>socket = l:TCP_NODELAY=1<o:p></o:p></p></div><div><p class=MsoNormal>socket = r:TCP_NODELAY=1<o:p></o:p></p></div></div><div><p class=MsoNormal>client = yes<o:p></o:p></p></div><div><div><p class=MsoNormal>[iperf]<o:p></o:p></p></div><div><p class=MsoNormal>accept = <a href="http://127.0.0.1:5000">127.0.0.1:5000</a><o:p></o:p></p></div><div><p class=MsoNormal>connect = <a href="http://127.0.0.1:6000">127.0.0.1:6000</a><o:p></o:p></p></div></div><div><p class=MsoNormal>delay = no<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>2) Create a s4server.conf file with the following contents (modify as appropriate for the stunnel.pem file location):<o:p></o:p></p></div><div><p class=MsoNormal>sslVersion=TLSv1<o:p></o:p></p></div><div><p class=MsoNormal>cert=C:\TEST\stunnel.pem<o:p></o:p></p></div><div><div><p class=MsoNormal>socket = l:TCP_NODELAY=1<o:p></o:p></p></div><div><p class=MsoNormal>socket = r:TCP_NODELAY=1<o:p></o:p></p></div></div><div><p class=MsoNormal>client = no<o:p></o:p></p></div><div><div><p class=MsoNormal>[iperf]<o:p></o:p></p></div><div><p class=MsoNormal>accept = <a href="http://127.0.0.1:6000">127.0.0.1:6000</a><o:p></o:p></p></div><div><p class=MsoNormal>connect = <a href="http://127.0.0.1:7000">127.0.0.1:7000</a><o:p></o:p></p></div></div><div><p class=MsoNormal>delay = no<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>3) Open up four command prompts in VMS (if you can), one for each of the four corners (quadrants) of the screen. The data flow will be from Q2 (upper-left) to Q1 (upper-right), then to Q4 (lower-right), then finally to Q3 (lower-left).<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>4) . In Q1 run: s4client.exe s4client.conf<o:p></o:p></p></div><div><p class=MsoNormal>. In Q4 run: s4server.exe s4server.conf<o:p></o:p></p></div><div><p class=MsoNormal>. In Q3 run: iperfs -p 7000 -s<o:p></o:p></p></div><div><p class=MsoNormal>. In Q2 run: iperfc -c localhost -p 5000 -t 1<o:p></o:p></p></div><div><p class=MsoNormal>. If it worked, you should see something like the message below:<o:p></o:p></p></div><div><p class=MsoNormal>------------------------------------------------------------<o:p></o:p></p></div><div><p class=MsoNormal>Client connecting to localhost, TCP port 5000<o:p></o:p></p></div><div><p class=MsoNormal>TCP window size: 63.0 KByte (default)<o:p></o:p></p></div><div><p class=MsoNormal>------------------------------------------------------------<o:p></o:p></p></div><div><p class=MsoNormal>[ 3] local 127.0.0.1 port 50097 connected with 127.0.0.1 port 5000<o:p></o:p></p></div><div><p class=MsoNormal>[ ID] Interval Transfer Bandwidth<o:p></o:p></p></div><div><p class=MsoNormal>[ 3] 0.0- 1.0 sec 38.9 MBytes 321 Mbits/sec<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>5) If that works, change the ports around and use something like 999 for connect (client) and accept (server). Restart the client and server and see if iperf still works.<o:p></o:p></p></div><div><p class=MsoNormal>6) If that works, now try to change connect (server) to port 23, restart client and server, and then telnet to port 5000.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div></div></div></div></div></body></html>