February 2005 - stunnel-users

verify = 3 error with certificate client
by Humberto Morell 01 Mar '05

01 Mar '05

Hello List I have stunnel 4.7 In the messages of the list I have not seen solution to my problem. This is VERIFY ERROR ONLY MY: no cert stunnel.log in Server ################## 2005.02.25 07:55:07 LOG5[2501:1076546480]: VERIFY OK: depth=1, /C=CU/ST=Ciudad Habana/L=Centro Habana/O=Segurmatica/OU=Agencia de Certificacion/CN=Segurmatica/emailAddress=ca(a)segurmatica.cu 2005.02.25 07:55:07 LOG4[2501:1076546480]: VERIFY ERROR ONLY MY: no cert for /C=CU/ST=Ciudad Habana/L=Centro Habana/O=Ministerio Informatica y Comunicaciones/OU=Segurmatica/CN=Humberto Morell/emailAddress=morell(a)seg.inf.cu 2005.02.25 07:55:07 LOG7[2501:1076546480]: SSL alert (write): fatal: certificate unknown ############# stunnel.conf in Server ############## #chroot = /var/lib/stunnel/ verify = 3 CApath = /etc/stunnel/certdb # or simply use CAfile instead: #CAfile = /etc/stunnel/certs.pem CAfile = /etc/stunnel/acsegurmatica.crt #cert = /etc/stunnel/stunnel.pem cert = /etc/stunnel/certstunnel.pem ################# File in /etc/stunnel ############### certdb morell.pem stunnel.prueba.pem certstunnel.pem stunnel.conf acsegurmatica.crt morell.crt stunnel.log certclient morell.key stunnel.pem ############### Link in /etc/stunnel/certdb ############### drwxr-xr-x 2 root root 176 Feb 25 11:06 . drwx------ 4 root root 472 Feb 25 10:52 .. lrwxrwxrwx 1 root root 24 Feb 25 11:00 2307a3fe.0 -> /etc/stunnel/stunnel.pem lrwxrwxrwx 1 root root 30 Feb 25 11:01 3f5b7ca8.0 -> /etc/stunnel/acsegurmatica.crt lrwxrwxrwx 1 root root 23 Feb 25 11:03 3fb3183e.0 -> /etc/stunnel/morell.pem lrwxrwxrwx 1 root root 28 Feb 25 11:06 d14abd18.0 -> /etc/stunnel/certstunnel.pem ################# client in Windows stunnel.conf ############## client = yes cert = d:\morell.pem debug = 7 output = d:\stunnel.log [lsd] accept = 9595 connect = 10.10.1.83:9500 [ssh] accept = 2222 connect = 10.10.1.83:9522 ##################### Note: I don't use chroot I have try, but idem error with. File morell.pem only client certificate and other time file morell.pem Key private crl Certificate With verify = 2 all is ok Please help Best regards Morell

3 3

stunnel woes under HPUX 10.20
by foner-stunnel＠media.mit.edu 28 Feb '05

28 Feb '05

[Please keep me CC'ed on replies! I'm not on any stunnel lists.] Stunnel 4.07 and 4.08 don't build under HPUX 10.20. 4.06 appears to build, but doesn't appear to work---with a config file like this, running on the local host: pid = /usr/local/var/stunnel/stunnel.pid client = yes foreground = yes # debug = debug [pop3s] accept = 110 connect = our-pop-host:995 ...and an attempt like this, using (for instance) Emacs 21.4a's movemail: movemail po:foner:localhost NEWMAIL [the-password] ...I get an infinite hang. Enabling debugging causes stunnel to spit out an infinite stream of a single line at maximum rate, and seems unaffected by whether I'm trying to connect to it or not: # stunnel test-stunnel.conf 1900.01.00 00:00:00 LOG5[9738:0]: stunnel 4.06 on hppa1.1-hp-hpux10.20 FORK+POLL with OpenSSL 0.9.7e 25 Oct 2004 1900.01.00 00:00:00 LOG7[9738:0]: Snagged 64 random bytes from /users/foner/.rnd 1900.01.00 00:00:00 LOG7[9738:0]: Wrote 1024 new random bytes to /users/foner/.rnd 1900.01.00 00:00:00 LOG7[9738:0]: RAND_status claims sufficient entropy for the PRNG 1900.01.00 00:00:00 LOG6[9738:0]: PRNG seeded successfully 1900.01.00 00:00:00 LOG6[9738:0]: file ulimit = 60 (can be changed with 'ulimit -n') 1900.01.00 00:00:00 LOG6[9738:0]: poll() used - no FD_SETSIZE limit for file descriptors 1900.01.00 00:00:00 LOG5[9738:0]: 27 clients allowed 1900.01.00 00:00:00 LOG7[9738:0]: FD 3 in non-blocking mode 1900.01.00 00:00:00 LOG7[9738:0]: FD 4 in non-blocking mode 1900.01.00 00:00:00 LOG7[9738:0]: FD 5 in non-blocking mode 1900.01.00 00:00:00 LOG7[9738:0]: SO_REUSEADDR option set on accept socket 1900.01.00 00:00:00 LOG7[9738:0]: pop3s bound to 0.0.0.0:110 1900.01.00 00:00:00 LOG7[9738:0]: Created pid file /usr/local/var/stunnel/stunnel.pid 1900.01.00 00:00:00 LOG6[9738:0]: daemon_loop: s_poll_wait: Invalid argument (22) 1900.01.00 00:00:00 LOG6[9738:0]: daemon_loop: s_poll_wait: Invalid argument (22) 1900.01.00 00:00:00 LOG6[9738:0]: daemon_loop: s_poll_wait: Invalid argument (22) 1900.01.00 00:00:00 LOG6[9738:0]: daemon_loop: s_poll_wait: Invalid argument (22) [ . . . and forever more . . . ] I can't imagine that this is supposed to be how debug works, since it's totally useless for debugging if it spits out the same line as fast as it can. I'm running the stunnel as root, and netstat seems to show that it's bound to port 110, but doesn't seem to indicate any outbound connection from stunnel to our pop host after I invoke movemail. I have no idea if versions before 4.06 work; I haven't tried. Sure, this is an old OS, but zillions of other things, including the entire GNU toolchain, seem to work on it, so stunnel should, too. Builds for all three versions I've tried may be found in at the following URLs. Note that 4.07 and 4.08 fail on different files, but in essentially the same way. http://foner.www.media.mit.edu/people/foner/Sys/stunnel-4.06.build http://foner.www.media.mit.edu/people/foner/Sys/stunnel-4.07.build http://foner.www.media.mit.edu/people/foner/Sys/stunnel-4.08.build I've done some websearching, and I've searched the stunnel archives at mirt.net, but haven't found anything relevant. Any clues? Thanks...

5 9

stunnel logging problem
by Brian T 28 Feb '05

28 Feb '05

Hi, I work for a company which has a custom embedded Linux platform, and have been working with stunnel for some time but have never seen this problem. I have seen it with stunnel 4.04 and 4.07, which is compiled on a Redhat 7.2ish platform, but newer SSL libraries. (below my sig is the stunnel info). Basically I use a config file, but when debug= and output= is commented out, stunnel seems to cause a problem which resets the embedded unit. If I uncomment them both and use output=/var/log/stunnel.log ( or /dev/null ) everything works fine. Not sure where to look for the problem that is causing this since I can't even get a core dump. I looged in s_log() but nothing stuck out as being wrong. Thanks for any help you can lend, -Brian [root@JBMgateway-v63 /]# stunnel -version stunnel 4.07 on i486-pc-linux-gnu PTHREAD+POLL+IPv4+LIBWRAP with OpenSSL 0.9.7d 17 Mar 2004 Global options cert = /etc/stunnel/stunnel.pem ciphers = ALL:!ADH:+RC4:@STRENGTH debug = 5 key = /etc/stunnel/stunnel.pem pid = /var/run/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes session = 300 seconds verify = none Service-level options TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds [root@JBMgateway-v63 /]# uname -a Linux JBMgateway-v63 2.4.20 #1729 Wed Jan 26 17:38:15 CST 2005 i486 unknown [root@JBMgateway-v63 /]# ls -al /lib/libssl.so.* -rwxr-xr-x 1 root root 210452 Jan 26 18:47 /lib/libssl.so.0.9.7 lrwxrwxrwx 1 root root 20 Jan 26 18:47 /lib/libssl.so.2 -> /lib/libssl.so.0.9.7 [root@JBMgateway-v63 /]# cat /etc/stunnel/stunnel.conf # Some debugging stuff debug = 6 output = /var/log/stunnel.log #output = /dev/null foreground = yes # Use it for client mode client = yes [SampleGroup] accept = 443 connect = x.x.x.x:6660

1 0

PEM routines:PEM_read_bio Problem
by Metal Gear 28 Feb '05

28 Feb '05

Hi all, i was configuring my syslog-ng server with stunnel and it worked fine for somedays but after that i upgraded to new SSL libraries (OpenSSL 0.9.7e) from (OpenSSL 0x0090701f) then i m getting this "stunnel[2480]: SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio" error (i have given the link of stunnel binary in rc.local, to start at boot time, at i get this error in logs) i m using stunnel (stunnel 4.07). Can anyone has any idea about it. Thanks (sorry for sending same message twice)

1 0

PEM routines:PEM_read_bio Problem
by Metal Gear 28 Feb '05

28 Feb '05

Hi all, i was configuring my syslog-ng server with stunnel and it worked fine for somedays but after that i upgraded to new SSL libraries (OpenSSL 0.9.7e) from (OpenSSL 0x0090701f) then i m getting this "stunnel[2480]: SSL_CTX_use_RSAPrivateKey_file: 906D06C: error:0906D06C:PEM routines:PEM_read_bio" error (i have given the link of stunnel binary in rc.local, to start at boot time, at i get this error in logs) i m using stunnel (stunnel 4.07). Can anyone has any idea about it. Thanks

1 0

Stunnel 4.08 released
by Michal Trojnara 27 Feb '05

27 Feb '05

Here is the ChangeLog entry for the new stunnel 4.08: Version 4.08, 2005.02.27, urgency: LOW: * New features - New -quiet option was added to install NT service without a message box. * Bugfixes - Using $(DESTDIR) in tools/Makefile.am. - Define NI_NUMERICHOST and NI_NUMERICSERV when needed. - Length of configuration file line increased from 256B to 16KB. - Stunnel sends close_notify when a close_notify is received from SSL peer and all remaining data is sent to SSL peer. - Some fixes for bugs detected by the watchdog. * Release notes - There were many changes in the transfer() function (the main loop). This version should be thoroughly tested before using it in the mission-critical environment. Home page & downloads: http://stunnel.mirt.net/ Best regards, Mike

1 0

Help Needed
by Alexander Lazic 25 Feb '05

25 Feb '05

Hi, i have try to add the X-Forwarded-For Header, based on http://www.stunnel.org/patches/desc/xforwardedfor_jrd.html, into stunnel 4.07, but i don't come to a solution :-( I have try to add i into 'client.c => transfer()'. Please can anybody review the attached Patch and point me to the right way ;-) I'am not shure that i add the 'insert' into the right place :-( Thanx for help ;-)) al ;-)

1 1

verify =3 error with certificate client
by Humberto Morell 25 Feb '05

25 Feb '05

Hello List I have stunnel 4.7 In the messages of the list I have not seen solution to my problem. This is VERIFY ERROR ONLY MY: no cert stunnel.log in Server ################## 2005.02.25 07:55:07 LOG5[2501:1076546480]: VERIFY OK: depth=1, /C=CU/ST=Ciudad Habana/L=Centro Habana/O=Segurmatica/OU=Agencia de Certificacion/CN=Segurmatica/emailAddress=ca(a)segurmatica.cu 2005.02.25 07:55:07 LOG4[2501:1076546480]: VERIFY ERROR ONLY MY: no cert for /C=CU/ST=Ciudad Habana/L=Centro Habana/O=Ministerio Informatica y Comunicaciones/OU=Segurmatica/CN=Humberto Morell/emailAddress=morell(a)seg.inf.cu 2005.02.25 07:55:07 LOG7[2501:1076546480]: SSL alert (write): fatal: certificate unknown ############# stunnel.conf in Server ############## #chroot = /var/lib/stunnel/ verify = 3 CApath = /etc/stunnel/certdb # or simply use CAfile instead: #CAfile = /etc/stunnel/certs.pem CAfile = /etc/stunnel/acsegurmatica.crt #cert = /etc/stunnel/stunnel.pem cert = /etc/stunnel/certstunnel.pem ################# File in /etc/stunnel ############### certdb morell.pem stunnel.prueba.pem certstunnel.pem stunnel.conf acsegurmatica.crt morell.crt stunnel.log certclient morell.key stunnel.pem ############### Link in /etc/stunnel/certdb ############### drwxr-xr-x 2 root root 176 Feb 25 11:06 . drwx------ 4 root root 472 Feb 25 10:52 .. lrwxrwxrwx 1 root root 24 Feb 25 11:00 2307a3fe.0 -> /etc/stunnel/stunnel.pem lrwxrwxrwx 1 root root 30 Feb 25 11:01 3f5b7ca8.0 -> /etc/stunnel/acsegurmatica.crt lrwxrwxrwx 1 root root 23 Feb 25 11:03 3fb3183e.0 -> /etc/stunnel/morell.pem lrwxrwxrwx 1 root root 28 Feb 25 11:06 d14abd18.0 -> /etc/stunnel/certstunnel.pem ################# client in Windows stunnel.conf ############## client = yes cert = d:\morell.pem debug = 7 output = d:\stunnel.log [lsd] accept = 9595 connect = 10.10.1.83:9500 [ssh] accept = 2222 connect = 10.10.1.83:9522 ##################### Note: I don't use chroot I have try, but idem error with. File morell.pem only client certificate and other time file morell.pem Key private crl Certificate With verify = 2 all is ok Please help Best regards Morell

1 0

openssl - generating stunnel.pem - stunnel.cnf
by k-i-r＠web.de 24 Feb '05

24 Feb '05

Using Stunnel under Windows I want to create a certificate (stunnel.pem) with Openssl. According to FAQ the syntax for creating a certificate with Openssl is openssl req -new -x509 -days 365 -nodes -config stunnel.cnf -out stunnel.pem -keyout stunnel.pem I use openssl for windows (as part of apache-windows-http-server) . Where do I get the file stunnel.cnf ? Or is this file not necessary for creating a certificate ? Thanks for help, k.

3 2

Stunnel and configuration
by Bohdan Linda 22 Feb '05

22 Feb '05

Hi all, I have configured stunnel to do the client authetication, but I have some question. I have used following config: cert = /etc/certificates/server.pem - file with signed server cert and key (passwordless) chroot = /var/run/stunnel/ CAfile = /etc/certificates/certs -file where first item is my CA certificate followed by list of all client certificates sgined by my CA. setuid = nobody setgid = nogroup pid = /stunnel.pid verify = 3 This setup is working, but this seems to me very "unlogical". If I create for me "more logic" setup: cert = /etc/certificates/server.pem chroot = /var/run/stunnel/ CAfile = /etc/certificates/CA/cacert.pem - only certificate of my CA CRLfile = /etc/certificates/crls - only certificates signed by my CA I get the following error: 2005.02.22 15:15:10 LOG5[22418:81926]: VERIFY OK: depth=1, /C= ..... 2005.02.22 15:15:10 LOG4[22418:81926]: VERIFY ERROR ONLY MY: no cert for /C= The question is ... why? Why CAfile has to contain all client certificates, when clients certs are not CA? Why I cannot have separate file for CA and separate file for certificates that I want accept? If I do the similar setup in mod_ssl, the configuration works as expected. Anyway, I'am newbie to deploy stunnel, thus I would like to ask you for giving me you opinion of this configuration, caveats and possible enhancements. Thanks for any comments, Bohdan Linda

3 4