December 2004 - stunnel-users

stunnel 4.06 problems with service on XP
by Mat Leinmueller 28 Dec '04

28 Dec '04

Hi, I tried to upgrade an existing 4.04 stunnel service to 4.06 (uninstalled service, reinstalled with new version). The service gets registered correctly, when I try to start it, however, it seems not to find the stunnel.conf file. After downgrading to 4.04 everything works again. Any suggestions? Mat

2 1

Error when executing stunnel 4.06 Windows binaries as service
by Liron Newman 28 Dec '04

28 Dec '04

Hello, I'm trying to run the offical stunnel 4.06 Win32 binaries from stunnel.org as a service, but I get the following error: "The procedure entry point freeaddrinfo could not be located in the dynamic link library WS2_32.DLL" I looked it up a bit and it seems to have something to do with IPv6, but I don't use it.. stunnel 4.05 works fine as a service, and worked without a problem for months now. I'm using Win2k SP4 fully patched. Help? :)

2 1

Problem with stunnel 4.06 on FreeBSD and possibly other systems
by Michal Trojnara 28 Dec '04

28 Dec '04

Dear Users, Frank de Bot has found a bug in stunnel 4.06. I've attached the patch stunnel needs to work on FreeBSD (and possibly other) systems. It's not needed on Linux and WIN32 platforms. Best regards, Mike

2 1

ERROR: stunnel-4.06.exe file is linked to missing export ...
by Mike_Stunnel 26 Dec '04

26 Dec '04

When I try to start and test stunnel-4.06 on Windows ME, I get the following error message: The STUNNEL-4.06.EXE file is linked to missing export WS2_32.DLL:freeaddinfo Stunnel-4.05 runs fine and I have OpenSSL 0.9.7e How do I resolve this? Thanks, mz

1 0

Stunnel 4.06 released
by Michal Trojnara 25 Dec '04

25 Dec '04

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Here is the ChangeLog entry: Version 4.06, 2004.12.26, urgency: LOW: * New feature sponsored by SURFnet http://www.surfnet.nl/ - IPv6 support (to be enabled with ./configure --enable-ipv6). * New features - poll() support - no more FD_SETSIZE limit! - Multiple connect=host:port options are allowed in a single service section. Remote hosts are connected using round-robin algorithm. This feature is not compatible with delayed resolver. - New 'compression' option to enable compression. To use zlib algorithm you have to enable it when building OpenSSL library. - New 'engine' option to select a hardware engine. - New 'TIMEOUTconnect' option with 10 seconds default added. - stunnel3 perl script to emulate version 3.x command line options. - French manual updated by Bernard Choppy <choppy AT free POINT fr>. - A watchdog to detect transfer() infinite loops added. - Configuration file comment character changed from '#' to ';'. '#' will still be recognized to keep compatibility. - MT-safe getaddrinfo() and getnameinfo() are used where available to get better performance on resolver calls. - Automake upgraded from 1.4-p4 to 1.7.9. * Bugfixes - log() changed to s_log() to avoid conflicts on some systems. - Common CRIT_INET critical section introduced instead of separate CRIT_NTOA and CRIT_RESOLVER to avoid potential problems with libwrap (TCP Wrappers) library. - CreateThread() finally replaced with _beginthread() on Win32. - make install creates $(localstatedir)/stunnel. $(localstatedir)/stunnel/dev/zero is also created on Solaris. - Race condition with client session cache fixed. - Other minor bugfixes. * Release notes - Win32 port requires Winsock2 to work. Some Win95 systems may need a free update from Microsoft. http://www.microsoft.com/windows95/downloads/ - Default is *not* to use IPv6 '::' for accept and '::1' for connect. For example to accept pop3s on IPv6 you could use: 'accept = :::995'. I hope the new syntax is clear enough. Homepage: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFBzf1b/NU+nXTHMtERAtUVAKD+41kLTFS/qrOleskfH1MZEkYr2ACfcJPZ 4QQk085XimnyplqENZaT7nk= =zIM2 -----END PGP SIGNATURE-----

1 0

Faulting application stunnel-4.05.exe
by Paulo Cesar Soares da Silva 25 Dec '04

25 Dec '04

stunnel-4.05.exe executed as a service presents the following problems: Faulting application stunnel-4.05.exe, version 0.0.0.0, faulting module libssl32.dll, version 0.0.0.0, fault address 0x00006cd8. Faulting application stunnel-4.05.exe, version 0.0.0.0, faulting module libeay32.dll, version 0.0.0.0, fault address 0x000564ec. The application, C:\Program Files\Crivo\tn3270\stunnel-4.05.exe, generated an application error The error occurred on 11/10/2004 @ 15:37:13.875 The exception generated was c0000005 at address 6B086CD8 (libssl32!SSL_set_session) Faulting application stunnel-4.05.exe, version 0.0.0.0, faulting module ntdll.dll, version 5.2.3790.0, fault address 0x000086f7. Environment: Hardware IBM 86496BX Dual processor 3 GHz Software OS Name Microsoft(R) Windows(R) Server 2003, Standard Edition , Version 5.2.3790 Build 3790 The following files are in same folder (..\Program Files\Teste\Stunnel) stunnel-4.05.exe, 4.05 libeay32.dll, openssl-0.9.7d-zlib libssl32.dll, openssl-0.9.7d-zlib Comntents of stunnel.conf: client = yes verify = 0 service = stunnel 4.05 options = DONT_INSERT_EMPTY_FRAGMENTS [data] accept = localhost:3500 connect = www.teste.com.br:443 delay = yes I would appreciate if anyone can help me on this? many thanks in advance! Paulo Cesar Soares da Silva (11) 3231-5396 pcesar(a)crivo.com.br --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com) Version: 6.0.794 / Virus Database: 538 - Release Date: 10/11/2004 --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com) Version: 6.0.794 / Virus Database: 538 - Release Date: 10/11/2004 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com) Version: 6.0.799 / Virus Database: 543 - Release Date: 19/11/2004

2 1

Gmail / Eudora / SpamPal and Stunnel
by John Bullas 21 Dec '04

21 Dec '04

Good Morning I hope there is someone on this group who can assist? I am running Eudora 6.2.0.14, Stunnel-4.04, SpamPal 1,583 win 2k on D drive / Stunnel on e (partitions not physical) startup line E:\stunnel\stunnel-4.04.exe Stunnel log after running it (systray icon appears to suggest it is started and Services app allowed me to start it) 2004.12.22 08:15:32 LOG5[3216:208]: stunnel 4.04 on x86-pc-mingw32-gnu WIN32 with OpenSSL 0.9.7c 30 Sep 2003 2004.12.22 08:15:32 LOG7[3216:1504]: Snagged 64 random bytes from C:/.rnd 2004.12.22 08:15:32 LOG7[3216:1504]: Wrote 1024 new random bytes to C:/.rnd 2004.12.22 08:15:32 LOG7[3216:1504]: RAND_status claims sufficient entropy for the PRNG 2004.12.22 08:15:32 LOG6[3216:1504]: PRNG seeded successfully 2004.12.22 08:15:32 LOG5[3216:1504]: WIN32 platform: 30000 clients allowed 2004.12.22 08:15:32 LOG7[3216:1504]: FD 324 in non-blocking mode 2004.12.22 08:15:32 LOG7[3216:1504]: SO_REUSEADDR option set on accept socket 2004.12.22 08:15:32 LOG7[3216:1504]: pop bound to 127.0.0.1:1109 2004.12.22 08:15:32 LOG7[3216:1504]: FD 332 in non-blocking mode 2004.12.22 08:15:32 LOG7[3216:1504]: SO_REUSEADDR option set on accept socket 2004.12.22 08:15:32 LOG7[3216:1504]: imap bound to 127.0.0.1:1439 2004.12.22 08:15:32 LOG7[3216:1504]: FD 340 in non-blocking mode 2004.12.22 08:15:32 LOG7[3216:1504]: SO_REUSEADDR option set on accept socket 2004.12.22 08:15:32 LOG7[3216:1504]: smtp bound to 127.0.0.1:259 Eudora settings: username: myloginname@gmail.com@127.0.0.1:1109 smtp server:127.0.0.1 incoming server as POP and local ohst or 127.0.0.1 see below I can RECEIVE Gmail ok but SENDING prompts a "Could not connect to "127.0.0.1" Cause: connection refused (10061) ditto if "localhost" is used as the pop server in steadof 127.0.0.1 I have Hotmail Popper on 127.0.0.2 for hotmail and Spampal/Eudora is fine with that Hotmail Popper? A method to send/receive Hotmail via POP http://www.boolean.ca/hotpop/ Spampal? http://www.spampal.org a free spam tagging proxy(?) I am now in the realms of "playing about" to try and fix this outgoing mail issue HOWEVER I am sure someone in this forum has Gmail happily sending and receiving!!!! Gmail REQUIRES SSL A connection to my university email will not SEND over IMAP and needs to go out via SMTP as it requires a verified internal IP address to work (relay denied) I am uncertain of how the SSL settings in Eudora need to be set to allow Gmail to both send/receive using Required Alternate Post as given in the online help for Gmail via spampal and Stunnel http://gmail.google.com/support/bin/answer.py?answer=13279&query=eudora&top… ( aka: http://tinyurl.com/5vp6u ) Your learned wisdom would be welcome!!!! Regards John "Fatbloke" Bullas Southampton UK Yes I know Spampal and Gmail is "belt and braces" but I have a challenge here!!!! Justified "give up you can't" would be equally appreciated ** Eudora Mail 6.2 / McAfee Virus Scan 4.5.1 / Sp*mPal **

1 0

Fwd: [stunnel-users] stunnel 'options' section of config file
by Justin Miller 21 Dec '04

21 Dec '04

I understand the security concerns... I was just trying different protocols because I was receiving weird error messages with some https proxies (using the mathias wald patch) about wrong version numbers, etc. Googling it seemed to indicate that enabling/disabling ssl2/ssl3/tls1 could do the trick. However, I can't even get 'openssl s_client...' to yield a successful connection with some of these proxies. Can stunnel handle incoming http or socks proxy requests/connections? If not, will you ever support that? For instance I want stunnel listening on a local port 8080 and connect to a remote https proxy, and I set the HTTP proxy server in gaim to localhost:8080. -Justin On Tue, 21 Dec 2004 15:20:19 +0100, Michal Trojnara <Michal.Trojnara(a)mobi-com.net> wrote: > Justin Miller wrote: > > So all looks well ang good... But then when it sends the client hello > > message, one would expect an ssl2 message, but we get the following > > Stunnel is not supposed to act as SSLv2 client. It uses > SSLv3_client_method() in src/ssl.c file. If you really need SSLv2 - change > it to SSLv2_client_method() and recompile stunnel. It's not recommended for > security, anyway. > > See SSL_CTX_new(3) manual for details. > > Best regards, > Mike > > _______________________________________________ > stunnel-users mailing list > stunnel-users(a)mirt.net > http://stunnel.mirt.net/mailman/listinfo/stunnel-users >

2 2

stunnel 'options' section of config file
by Justin Miller 21 Dec '04

21 Dec '04

Is it just me, or does stunnel not seem to obey the ssl 'options' setting in the config file? I have the lines: options = TLS_ROLLBACK_BUG options = NO_TLSv1 options = NO_SSLv3 And when I start stunnel, the output is: 2004.12.20 07:47:46 LOG7[9981:1024]: Configuration SSL options: 0x06800000 2004.12.20 07:47:46 LOG7[9981:1024]: SSL options set: 0x06800000 So all looks well ang good... But then when it sends the client hello message, one would expect an ssl2 message, but we get the following output: 2004.12.20 07:47:51 LOG7[9984:1026]: SSL state (connect): SSLv3 write client hello A 2004.12.20 07:47:51 LOG7[9984:1026]: waitforsocket: FD=10, DIR=read 2004.12.20 07:47:51 LOG7[9984:1026]: waitforsocket: ok 2004.12.20 07:47:51 LOG7[9984:1026]: SSL alert (write): fatal: handshake failure 2004.12.20 07:47:51 LOG3[9984:1026]: SSL_connect: 1408F10B: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number That first line seems to indicate that it's still sending a v3 message. Is this actually what's happening?

2 1

Re: [stunnel-users] UDP applications
by Colin McKinnon 21 Dec '04

21 Dec '04

On Tuesday 21 December 2004 03:58, you wrote: > > This encapsulation of udp packets was what i was referring to... Could > you plz give me some pointers where this is "well" documented. > Google suggested: http://www.stunnel.org/examples/pppvpn.html http://www.buildinglinuxvpns.net/sourcecode/r/4/vpn-server.html http://mia.ece.uic.edu/~papers/bin/ppp_over_ssl_vpn_client http://irb.cs.tu-berlin.de/dienste/dialup/inhouse/irbvpnclient (although note that a cursory glance trhough suggests sme of these use stunnel v3 config syntax) C.

1 0