October 2005 - stunnel-users

Usage scenarios of stgunnel
by Jagannadha Bhattu Gosukonda 09 Oct '05

09 Oct '05

Hi, Can you kindly let me know the usage scenarios of stunnel in the sense that will it be used mainly at the client side / server side? which is the most common scenario? Thanks JB

1 0

STUNNEL and Windows 98 Second Edition
by David T. Ashley 08 Oct '05

08 Oct '05

I've installed STUNNEL on a Win 98 SE machine. Connections die after a few or a few hundred bytes. Any ideas? Thanks, Dave. ----------------------------------- David T. Ashley (dta(a)e3ft.com) Thousand Feet Consulting, LLC

2 1

UID/GID/Permissions Issue
by David T. Ashley 08 Oct '05

08 Oct '05

I've installed STUNNEL, works great, etc. etc. etc. Just one thing is a mystery .... The daemon definitely runs with UID "stunnel" (as I set it up), but still somehow it is able to grab its own keys and cert, as well as the client cert, which I set with root-only access. How is that possible? Does it buffer these things during startup (as root) before it sets UID/GID to stunnel, or am I missing something? Thanks. ----------------------------------- David T. Ashley (dta(a)e3ft.com) Thousand Feet Consulting, LLC

1 0

stunnel-4.12 Solaris 9 libwrap compile problem
by John Christian 07 Oct '05

07 Oct '05

Hi gurus... I'm setting up a centralized log server for all of my Solaris 9 hosts. Kim's article at http://www.sun.com/bigadmin/features/articles/syslog_ng.html is providing much of the guidence. I plan to use syslog-ng, but would like to have stunnel in place first. http://www.sunfreeware.com does not have a pre-rolled stunnel for Solaris 9. I'm receiving the error below when trying to compile stunnel-4.12 on Solaris 9. Can you offer any tips on overcoming the stunnelcompile error below? ERROR: [snip] gcc -g -O2 -Wall -Wshadow -Wcast-align -Wpointer-arith -I/usr/local/ssl/include -o stunnel client.o log.o options.o protocol.o network.o resolver.o ssl.o sthreads.o stunnel.o pty.o -lz -lsocket -lnsl -L/usr/local/ssl/lib -lssl -lcrypto -lwrap Undefined first referenced symbol in file allow_severity /usr/sfw/lib/libwrap.so deny_severity /usr/sfw/lib/libwrap.so ld: fatal: Symbol referencing errors. No output written to stunnel collect2: ld returned 1 exit status make[1]: *** [stunnel] Error 1 make[1]: Leaving directory `/var/spool/src/stunnel-4.12/src' make: *** [all-recursive] Error 1 I'm using GNU's make 3.80 and gcc 3.4.2. My environment variable LD_LIBRARY_PATH is: LD_LIBRARY_PATH=/usr/openwin/lib:/usr/dt/lib:/usr/local/lib:/usr/local/ssl/lib:/usr/sfw/lib Thanks for taking the time to share any direct solutions or hints that will help me find a solution. -John __________________________________ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com

1 0

Help With Verify = 3
by David T. Ashley 06 Oct '05

06 Oct '05

Hi, I installed Stunnel 4.12 on a Linux box, and am attempting to use it to secure SMTP e-mail injection from Windows machines. I have everything working, and I have a Windows Stunnel client which will inject mail into a Linux Stunnel server over TCP Port 465. However, I've been unable to find the right combination of verification settings to cause the server to refuse connections from clients without the right certificates. Right now, I'm able to inject mail if the client has ANY certificate. Is there any tutorial on how to generate the keys, .PEM files, and the Stunnel settings to have the behavior where only MY clients can inject mail? Thanks and best regards, Dave Ashley.

2 2

stunnel and logrotate
by Bohdan Linda 06 Oct '05

06 Oct '05

Hello, I have noticed that by sending -HUP signal to stunnel causes daemon to exit. The problem is when stunnel is logging to a file and the file was recreated (i.e. by logrotate). I have blindly configured logrotate to send -HUP to the stunnel after the logs are rotated and awaited 'common-habbit' functionality: re-read configuration and refresh file handles. But I was supprised: xxxx@yyyyy:/var/log# more stunnel.log.1 2005.09.27 14:07:51 LOG5[23244:3084273344]: stunnel 4.07 on xxxxxxxxxxxxxxx 2005.09.27 14:07:51 LOG5[23244:3084273344]: 500 clients allowed 2005.10.02 04:40:03 LOG3[23245:3084273344]: Received signal 1; terminating Apparently messages are going to the 'old' filehandle and stunnel exits. Is there any workaround to this except: 1) hard restarting stunnel 2) putting stunnel in inetd Thank you, Bohdan

2 1

Stunnel 4.12 won't work with Openssl 0.98
by Luca G. 05 Oct '05

05 Oct '05

Hi I upgraded yesterday from stunnel 4.11 to 4.12, and i had a few problems... Basically I have been unable to use latest libeay32.dll and libssl32.dll versions (the one that comes with stunnel's installation file). I use stunnel to tunnel a thightvnc connection from my windows xp sp2 workstation to a couple of windows 2000 server machine on the opposite side of the building. At the moment i'm keeping 0.98 files on the server machines, 0.97f on my client and it works These are my stunnel.conf files -----------------------------------client CAfile = CAcert.pem CApath = certificates cert = client.pem client = yes verify = 3 debug = 7 output = stunnel.log [vnc] accept = 127.0.0.1:5900 connect = 192.168.1.252:443 [vnc2] accept = 127.0.0.1:5899 connect = 192.168.1.254:443 ---------------------------------------- -------------------------------server CAfile = CAcert.pem CApath = certificates cert = server.pem client = no verify = 3 debug = 7 output = stunnel.log [vnc] accept = 443 connect = 127.0.0.1:5900 -------------------------------------- And this is what i found in my log files after every connection attempt -----------------------------------client 2005.10.05 09:50:21 LOG5[3880:3960]: stunnel 4.12 on x86-pc-mingw32-gnu WIN32+SELECT+IPv6 with OpenSSL 0.9.8 05 Jul 2005 2005.10.05 09:50:21 LOG7[3880:3964]: RAND_status claims sufficient entropy for the PRNG 2005.10.05 09:50:21 LOG6[3880:3964]: PRNG seeded successfully 2005.10.05 09:50:21 LOG7[3880:3964]: Certificate: client.pem 2005.10.05 09:50:21 LOG7[3880:3964]: Key file: client.pem 2005.10.05 09:50:21 LOG7[3880:3964]: Loaded verify certificates from CAcert.pem 2005.10.05 09:50:21 LOG7[3880:3964]: Verify directory set to certificates 2005.10.05 09:50:21 LOG5[3880:3964]: Peer certificate location certificates 2005.10.05 09:50:21 LOG5[3880:3964]: No limit detected for the number of clients 2005.10.05 09:50:21 LOG7[3880:3964]: FD 164 in non-blocking mode 2005.10.05 09:50:21 LOG7[3880:3964]: SO_REUSEADDR option set on accept socket 2005.10.05 09:50:21 LOG7[3880:3964]: vnc bound to 127.0.0.1:5900 2005.10.05 09:50:21 LOG7[3880:3964]: FD 168 in non-blocking mode 2005.10.05 09:50:21 LOG7[3880:3964]: SO_REUSEADDR option set on accept socket 2005.10.05 09:50:21 LOG7[3880:3964]: vnc2 bound to 127.0.0.1:5899 2005.10.05 09:50:30 LOG7[3880:3964]: vnc accepted FD=176 from 127.0.0.1:1351 2005.10.05 09:50:30 LOG7[3880:3964]: Creating a new thread 2005.10.05 09:50:30 LOG7[3880:3964]: New thread created 2005.10.05 09:50:30 LOG7[3880:388]: vnc started 2005.10.05 09:50:30 LOG7[3880:388]: FD 176 in non-blocking mode 2005.10.05 09:50:30 LOG5[3880:388]: vnc connected from 127.0.0.1:1351 2005.10.05 09:50:30 LOG7[3880:388]: FD 200 in non-blocking mode 2005.10.05 09:50:30 LOG7[3880:388]: vnc connecting 192.168.1.252:443 2005.10.05 09:50:30 LOG7[3880:388]: connect_wait: waiting 10 seconds 2005.10.05 09:50:30 LOG7[3880:388]: connect_wait: connected 2005.10.05 09:50:30 LOG7[3880:388]: Remote FD=200 initialized 2005.10.05 09:50:30 LOG7[3880:388]: SSL state (connect): before/connect initialization 2005.10.05 09:50:30 LOG7[3880:388]: SSL state (connect): SSLv3 write client hello A 2005.10.05 09:50:30 LOG7[3880:388]: SSL state (connect): SSLv3 read server hello A 2005.10.05 09:50:30 LOG5[3880:388]: VERIFY OK: depth=1, /C=IT/ST=Trentino/L=Trento/O=ATAS onlus/OU=Atas Trento/CN=VNC/emailAddress=tecnico(a)atas.tn.it 2005.10.05 09:50:30 LOG5[3880:388]: VERIFY OK: depth=0, /C=IT/ST=Trentino/L=Trento/O=ATAS onlus/OU=Atas Trento/CN=VNC_server/emailAddress=tecnico(a)atas.tn.it 2005.10.05 09:50:30 LOG7[3880:388]: SSL state (connect): SSLv3 read server certificate A 2005.10.05 09:50:30 LOG7[3880:388]: SSL state (connect): SSLv3 read server certificate request A 2005.10.05 09:50:30 LOG7[3880:388]: SSL state (connect): SSLv3 read server done A 2005.10.05 09:50:30 LOG7[3880:388]: SSL state (connect): SSLv3 write client certificate A 2005.10.05 09:50:30 LOG7[3880:388]: SSL state (connect): SSLv3 write client key exchange A 2005.10.05 09:50:30 LOG7[3880:388]: SSL state (connect): SSLv3 write certificate verify A ----------------------------------- -----------------------------------server 2005.10.04 10:49:50 LOG5[2480:2760]: stunnel 4.12 on x86-pc-mingw32-gnu WIN32+SELECT+IPv4 with OpenSSL 0.9.8 05 Jul 2005 2005.10.04 10:49:51 LOG7[2480:2824]: RAND_status claims sufficient entropy for the PRNG 2005.10.04 10:49:51 LOG6[2480:2824]: PRNG seeded successfully 2005.10.04 10:49:51 LOG7[2480:2824]: Certificate: server.pem 2005.10.04 10:49:51 LOG7[2480:2824]: Key file: server.pem 2005.10.04 10:49:51 LOG7[2480:2824]: Loaded verify certificates from CAcert.pem 2005.10.04 10:49:51 LOG7[2480:2824]: Verify directory set to certificates 2005.10.04 10:49:51 LOG5[2480:2824]: Peer certificate location certificates 2005.10.04 10:49:51 LOG5[2480:2824]: No limit detected for the number of clients 2005.10.04 10:49:51 LOG7[2480:2824]: FD 864 in non-blocking mode 2005.10.04 10:49:51 LOG7[2480:2824]: SO_REUSEADDR option set on accept socket 2005.10.04 10:49:51 LOG7[2480:2824]: vnc bound to 0.0.0.0:443 2005.10.04 10:51:00 LOG7[2480:2824]: vnc accepted FD=852 from 192.168.1.250:13545 2005.10.04 10:51:00 LOG7[2480:2824]: Creating a new thread 2005.10.04 10:51:00 LOG7[2480:2824]: New thread created 2005.10.04 10:51:00 LOG7[2480:2740]: vnc started 2005.10.04 10:51:00 LOG7[2480:2740]: FD 852 in non-blocking mode 2005.10.04 10:51:00 LOG5[2480:2740]: vnc connected from 192.168.1.250:13545 2005.10.04 10:51:00 LOG7[2480:2740]: SSL state (accept): before/accept initialization 2005.10.04 10:51:00 LOG7[2480:2740]: SSL state (accept): SSLv3 read client hello A 2005.10.04 10:51:00 LOG7[2480:2740]: SSL state (accept): SSLv3 write server hello A 2005.10.04 10:51:00 LOG7[2480:2740]: SSL state (accept): SSLv3 write certificate A 2005.10.04 10:51:00 LOG7[2480:2740]: SSL state (accept): SSLv3 write certificate request A 2005.10.04 10:51:00 LOG7[2480:2740]: SSL state (accept): SSLv3 flush data 2005.10.04 10:51:00 LOG3[2480:2740]: SSL_accept: Peer suddenly disconnected 2005.10.04 10:51:00 LOG7[2480:2740]: vnc finished (0 left) ----------------------------------- Am i doing soething wrong? Thanks in advance Luca

1 0

4.12 Broken?
by G J Piper 04 Oct '05

04 Oct '05

The new Stunnel Version 4.12 doesn't work well with POPs mail retrieval on my system. Reverting back to 4.11 fixes it perfectly. With 4.12, various emails wouldn't come through, got random timeouts, LONG email retrieval times mainly. Sometimes an email would be impossible to retrieve from the spool file. Running Stunnel with default parameters. Standalone I believe POPs runs off xinetd. % uname -a FreeBSD pipercomputerservices.net 4.4-RELEASE FreeBSD 4.4-RELEASE #0: Wed Aug 28 19:41:18 GMT 2002 root@osbuilder:/usr/src/sys/compile/SERVER i386 % gcc -v Using builtin specs. gcc version 2.95.3 20010315 (release) [FreeBSD] % openssl version OpenSSL 0.9.6e 30 Jul 2002 % stunnel -version stunnel 4.11 on i386-unknown-freebsd4.4 PTHREAD+POLL+IPv4+LIBWRAP with OpenSSL 0.9.6e 30 Jul 2002 Global options cert = /usr/local/etc/stunnel/stunnel.pem ciphers = ALL:!ADH:+RC4:@STRENGTH debug = 5 key = /usr/local/etc/stunnel/stunnel.pem pid = /usr/local/var/run/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes session = 300 seconds verify = none Service-level options TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds

2 2

Help: Remote desktop connection crashes Stunnel
by Jonathan Bell 04 Oct '05

04 Oct '05

In an attempt to get remote desktop set up over SSL tunneling with compression, I have installed stunnel on my Windows XP Professional SP2 machine and created a "portable" stunnel/config/dll zip that just contains the essentials to create a pre-configured tunnel. Here are the two config files: Server -------------------------------- ; Sample stunnel configuration file by Michal Trojnara 2002-2005 ; Some options used here may not be adequate for your particular configuration ; Certificate/key is needed in server mode and optional in client mode ; The default certificate is provided only for testing and should not ; be used in a production environment cert = stunnel.pem key = stunnel.pem ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 compression = zlib ; Some debugging stuff useful for troubleshooting debug = 6 output = G:\Stunnel Logs\stunnel.log taskbar = no ; Use it for client mode client = no ; Service-level configuration [remote-desktop] accept = 9833 connect = 127.0.0.1:3389 --------------------------------- Client --------------------------------- ; Sample stunnel configuration file by Michal Trojnara 2002-2005 ; Some options used here may not be adequate for your particular configuration ; Some performance tunings socket = l:TCP_NODELAY=1 socket = r:TCP_NODELAY=1 compression = zlib ; Some debugging stuff useful for troubleshooting debug = 7 output = stunnel.log taskbar = yes ; Use it for client mode client = yes ; Service-level configuration [remote-desktop] accept = 127.0.0.1:6389 connect = my.host.name:9833 ---------------------------------- The procedure I used was as follows - start Stunnel on the host, run upstairs with the zipped "portable" stunnel on a USB drive, run stunnel on the other PC, also running XP Pro SP2. Start->run->mstsc, enter 127.0.0.1:6389 and all that happens is that stunnel instantly crashes then Remote Desktop times out. What am I doing wrong?

2 1

Dual Instance of Stunnel Service on W2K
by Mundy Jennifer 04 Oct '05

04 Oct '05

Am new to stunnel and in need of some help. I have W2K box that has Stunnel installed as a service. Upon startup, it starts the service and uses the default stunnel.conf file. I would like to install a second Stunnel service and call a custom .conf service. Is this possible? I've read thru the documentation but haven't come across anything about a second service. We're running v4.05. I know I can get a second instance running via cmd line/batch file, but need the second instance to startup automatically so it can be monitored as well as other things. Thank you in advance. Jennifer The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator.(17b)

1 0