April 2005 - stunnel-users

Stunnel 4.10 released
by Michal Trojnara 23 Apr '05

23 Apr '05

Here is the ChangeLog entry: Version 4.10, 2005.04.23, urgency: LOW/EXPERIMENTAL: * DLLs for OpenSSL 0.9.7g. * Bugfixes - Missing locking on Win32 platform was added (thx to Yi Lin <yi.lin(a)convergys.com>) - Some problems with closing SSL fixed. * New features - New UCONTEXT user-level non-preemptive threads model is used on systems that support SYSV-compatible ucontext.h. - Improved stunnel3 script with getopt-compatible syntax. * Release notes - This version should be thoroughly tested before using it in the mission-critical environment. Homepage: http://stunnel.mirt.net/ Download: ftp://stunnel.mirt.net/stunnel/ Best regards, Mike

1 0

Patch: Windows version of stunnel 4.09 is not thread-safe
by yi.lin＠convergys.com 23 Apr '05

23 Apr '05

We have been using stunnel on Windows as a SSL proxy to connect to HTTPS server but stunnel kept crashing randomly under load. After some investigation, we found the following: according to OpenSSL document (http://www.openssl.org/docs/crypto/threads.html) "OpenSSL can safely be used in multi-threaded applications provided that at least two callback functions are set. locking_function(int mode, int n, const char *file, int line) is needed to perform locking on shared data structures. (Note that OpenSSL uses a number of global data structures that will be implicitly shared whenever multiple threads use OpenSSL.) Multi-threaded applications will crash at random if it is not set. " The original stunnel package only implements a POSIX Pthread version of locking callback functions, but doesn't provide any implementation for Windows. This has caused random crashes during our testing because the way we use stunnel requires frequent creation/destruction of threads and stunnel is not thread-safe without the locking callbacks. The attached fix attempts to address the problem by implementing the Windows version of locking callbacks using Windows native CRITICAL_SECTION object. =============================================================================================================================== *** sthreads.c Fri Dec 31 02:55:40 2004 --- sthreads_w32.c Thu Apr 14 08:29:07 2005 *************** *** 121,126 **** --- 121,127 ---- #ifdef USE_WIN32 CRITICAL_SECTION stunnel_cs[CRIT_SECTIONS]; + static CRITICAL_SECTION lock_cs[CRYPTO_NUM_LOCKS]; void enter_critical_section(SECTION_CODE i) { EnterCriticalSection(stunnel_cs+i); *************** *** 130,141 **** --- 131,161 ---- LeaveCriticalSection(stunnel_cs+i); } + static void locking_callback(int mode, int type, + #ifdef HAVE_OPENSSL + const /* Callback definition has been changed in openssl 0.9.3 */ + #endif + char *file, int line) { + if(mode&CRYPTO_LOCK) + EnterCriticalSection(lock_cs+type); + else + LeaveCriticalSection(lock_cs+type); + } + + void sthreads_init(void) { int i; /* Initialize stunnel critical sections */ for(i=0; i<CRIT_SECTIONS; i++) InitializeCriticalSection(stunnel_cs+i); + + /* Initialize OpenSSL locking callback */ + for(i=0; i<CRYPTO_NUM_LOCKS; i++) + InitializeCriticalSection(lock_cs+i); + CRYPTO_set_locking_callback(locking_callback); + + } unsigned long stunnel_process_id(void) { (See attached file: sthread_diff) Yi Lin Convergys Corporation yi.lin(a)convergys.com (703)885-5767 -- "NOTICE: The information contained in this electronic mail transmission is intended by Convergys Corporation for the use of the named individual or entity to which it is directed and may contain information that is privileged or otherwise confidential. If you have received this electronic mail transmission in error, please delete it from your system without copying or forwarding it, and notify the sender of the error by reply email or by telephone (collect), so that the sender's address records can be corrected."

2 1

connection refsed (111)
by RAJADURAI D 20 Apr '05

20 Apr '05

hi I am trying to connect using mysql, there are no fw between the 2 boxes. I tested with stunnel latest version 4.08 in red hat 9,it shows the last message as connection refused (111) after the cipher negotiation Any ideas on how to solve this error plz help me, to short out this problem ? i am using ==> Stunnel 4.08 redhat 9 Kernel 2.4.20-8 mysql Ver 11.18 Distrib 3.23.54,for redhat-linux-gnu(i386) I am using stunnel.pem generated while installing stunnel 4.08 SERVER SIDE [root@scorpion src]# ./stunnel 2005.03.30 12:23:19 : stunnel with OpenSSL 0.9.7a Feb 19 2003 2005.03.30 12:23:19 : Certificate: /usr/local/etc/stunnel/stunnel.pem 2005.03.30 12:23:19 : Key file: /usr/local/etc/stunnel/stunnel.pem 2005.03.30 12:23:19 : 500 clients allowed 2005.03.30 12:23:19 : SO_REUSEADDR option set on accept socket 2005.03.30 12:23:19 : mysqls bound to 0.0.0.0:3307 2005.03.30 12:23:19 : Created pid file /stunnel.pid 2005.03.30 12:27:01 : mysqls accepted FD=7 from 192.168.2.175:33091 2005.03.30 12:27:01 : mysqls started 2005.03.30 12:27:01 : mysqls connected from 192.168.2.175:33091 2005.03.30 12:27:01 : SSL state (accept): before/accept initialization 2005.03.30 12:27:01 : SSL state (accept): SSLv3 read client hello A 2005.03.30 12:27:01 : SSL state (accept): SSLv3 write server hello A 2005.03.30 12:27:01 : SSL state (accept): SSLv3 write certificate A 2005.03.30 12:27:01 : SSL state (accept): SSLv3 write server done A 2005.03.30 12:27:01 : SSL state (accept): SSLv3 flush data 2005.03.30 12:27:01 : SSL state (accept): SSLv3 read client key exchange A 2005.03.30 12:27:01 : SSL state (accept): SSLv3 read finished A 2005.03.30 12:27:01 : SSL state (accept): SSLv3 write change cipher spec A 2005.03.30 12:27:01 : SSL state (accept): SSLv3 write finished A 2005.03.30 12:27:01 : SSL state (accept): SSLv3 flush data 2005.03.30 12:27:01 : 1 items in the session cache 2005.03.30 12:27:01 : 0 client connects (SSL_connect()) 2005.03.30 12:27:01 : 0 client connects that finished 2005.03.30 12:27:01 : 0 client renegotiatations requested 2005.03.30 12:27:01 : 1 server connects (SSL_accept()) 2005.03.30 12:27:01 : 1 server connects that finished 2005.03.30 12:27:01 : 0 server renegotiatiations requested 2005.03.30 12:27:01 : 0 session cache hits 2005.03.30 12:27:01 : 0 session cache misses 2005.03.30 12:27:01 : 0 session cache timeouts 2005.03.30 12:27:01 : SSL accepted: new session negotiated 2005.03.30 12:27:01 : Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 2005.03.30 12:27:01 : mysqls connecting 127.0.0.1:3306 2005.03.30 12:27:01 : connect_wait: waiting 10 seconds 2005.03.30 12:27:01 : connect_wait: getsockopt: Connection refused (111) 2005.03.30 12:27:01 : Failed to initialize remote connection 2005.03.30 12:27:01 : mysqls finished (0 left) ====================================================== CLIENT SIDE [root@redhat src]# ./stunnel 2005.03.30 23:24:42 LOG5[7383:1075999904]: stunnel 4.08 on i686-pc-linux-gnu PTH READ+POLL+IPv4+LIBWRAP with OpenSSL 0.9.7a Feb 19 2003 2005.03.30 23:24:42 LOG7[7383:1075999904]: RAND_status claims sufficient entropy for the PRNG 2005.03.30 23:24:42 LOG6[7383:1075999904]: PRNG seeded successfully 2005.03.30 23:24:42 LOG7[7383:1075999904]: Certificate: /usr/local/etc/stunnel/s tunnel.pem 2005.03.30 23:24:42 LOG7[7383:1075999904]: Key file: /usr/local/etc/stunnel/stun nel.pem 2005.03.30 23:24:42 LOG6[7383:1075999904]: file ulimit = 1024 (can be changed wi th 'ulimit -n') 2005.03.30 23:24:42 LOG6[7383:1075999904]: poll() used - no FD_SETSIZE limit for file descriptors 2005.03.30 23:24:42 LOG5[7383:1075999904]: 500 clients allowed 2005.03.30 23:24:42 LOG7[7383:1075999904]: FD 4 in non-blocking mode 2005.03.30 23:24:42 LOG7[7383:1075999904]: FD 5 in non-blocking mode 2005.03.30 23:24:42 LOG7[7383:1075999904]: FD 6 in non-blocking mode 2005.03.30 23:24:42 LOG7[7383:1075999904]: SO_REUSEADDR option set on accept soc ket 2005.03.30 23:24:42 LOG7[7383:1075999904]: mysqls bound to 0.0.0.0:3306 2005.03.30 23:24:42 LOG7[7383:1075999904]: Created pid file /stunnel.pid 2005.03.30 23:32:19 LOG7[7383:1075999904]: mysqls accepted FD=7 from 127.0.0.1:3 3090 2005.03.30 23:32:19 LOG7[7383:1075999904]: FD 7 in non-blocking mode 2005.03.30 23:32:19 LOG7[7383:1076067520]: mysqls started 2005.03.30 23:32:20 LOG5[7383:1076067520]: mysqls connected from 127.0.0.1:33090 2005.03.30 23:32:20 LOG7[7383:1076067520]: FD 8 in non-blocking mode 2005.03.30 23:32:20 LOG7[7383:1076067520]: mysqls connecting 192.168.2.210:3307 2005.03.30 23:32:20 LOG7[7383:1076067520]: connect_wait: waiting 10 seconds 2005.03.30 23:32:20 LOG7[7383:1076067520]: connect_wait: connected 2005.03.30 23:32:20 LOG7[7383:1076067520]: Remote FD=8 initialized 2005.03.30 23:32:20 LOG7[7383:1076067520]: SSL state (connect): before/connect initialization 2005.03.30 23:32:20 LOG7[7383:1076067520]: SSL state (connect): SSLv3 write client hello A 2005.03.30 23:32:20 LOG7[7383:1076067520]: SSL state (connect): SSLv3 read server hello A 2005.03.30 23:32:20 LOG7[7383:1076067520]: SSL state (connect): SSLv3 read server certificate A 2005.03.30 23:32:20 LOG7[7383:1076067520]: SSL state (connect): SSLv3 read server done A 2005.03.30 23:32:20 LOG7[7383:1076067520]: SSL state (connect): SSLv3 write client key exchange A 2005.03.30 23:32:20 LOG7[7383:1076067520]: SSL state (connect): SSLv3 write change cipher spec A 2005.03.30 23:32:20 LOG7[7383:1076067520]: SSL state (connect): SSLv3 write finished A 2005.03.30 23:32:20 LOG7[7383:1076067520]: SSL state (connect): SSLv3 flush data 2005.03.30 23:32:20 LOG7[7383:1076067520]: SSL state (connect): SSLv3 read finished A 2005.03.30 23:32:20 LOG7[7383:1076067520]: 1 items in the session cache 2005.03.30 23:32:20 LOG7[7383:1076067520]: 1 client connects (SSL_connect()) 2005.03.30 23:32:20 LOG7[7383:1076067520]: 1 client connects that finished 2005.03.30 23:32:20 LOG7[7383:1076067520]: 0 client renegotiatations requeste d 2005.03.30 23:32:20 LOG7[7383:1076067520]: 0 server connects (SSL_accept()) 2005.03.30 23:32:20 LOG7[7383:1076067520]: 0 server connects that finished 2005.03.30 23:32:20 LOG7[7383:1076067520]: 0 server renegotiatiations request ed 2005.03.30 23:32:20 LOG7[7383:1076067520]: 0 session cache hits 2005.03.30 23:32:20 LOG7[7383:1076067520]: 0 session cache misses 2005.03.30 23:32:20 LOG7[7383:1076067520]: 0 session cache timeouts 2005.03.30 23:32:20 LOG6[7383:1076067520]: SSL connected: new session negotiated 2005.03.30 23:32:20 LOG6[7383:1076067520]: Negotiated ciphers: AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1 2005.03.30 23:32:20 LOG3[7383:1076067520]: SSL_read: Connection reset by peer (1 04) 2005.03.30 23:32:20 LOG5[7383:1076067520]: Connection reset: 0 bytes sent to SSL , 0 bytes sent to socket 2005.03.30 23:32:20 LOG7[7383:1076067520]: mysqls finished (0 left) RUNNING mysqL IN AN SEPARATE TERMINAL [root@redhat bharathi]# mysql -h 127.0.0.1 -u anirudh -p Enter password: ERROR 2013: Lost connection to MySQL server during query

2 2

Disabling IPv6
by Punitha 19 Apr '05

19 Apr '05

Hello Everyone !! I need to build Stunnel-4.09 in HP-UX11.11 without the support of IPv6. I did not use --enable-ipv6 option. In the configure log I could see the reference of getaddrinfo and getnameinfo functions. Is that refers any of the system file or the function defined in the souce code? I used `nm stunnel | grep getaddrinfo` and it shows the following. $ nm stunnel | grep getaddrinfo getaddrinfo | |undef |code | getaddrinfo | 118768|uext |stub | $ I need to confirm the source(from where they are taken) of getaddrinfo and getnameinfo functions. Is that related with the support of ipv6 in any way? Any of you please make me clear. Thanx in ADVANCE. Regards, Punitha.

2 1

Disabling IPv6
by Punitha 19 Apr '05

19 Apr '05

Hello Everyone !! I need to build Stunnel-4.09 in HP-UX11.11 without the support of IPv6. I did not use --enable-ipv6 option. In the configure log I could see the reference of getaddrinfo and getnameinfo functions. Is that refers any of the system file or the function defined in the souce code? I used `nm stunnel | grep getaddrinfo` and it shows the following. $ nm stunnel | grep getaddrinfo getaddrinfo | |undef |code | getaddrinfo | 118768|uext |stub | $ I need to confirm the source(from where they are taken) of getaddrinfo and getnameinfo functions. Is that related with the support of ipv6 in any way? Any of you please make me clear. Thanx in ADVANCE. Regards, Punitha.

1 0

Reporting problems
by Michal Trojnara 19 Apr '05

19 Apr '05

Dear Users, Please stop reporting problems with obsolete versions of stunnel. You should always upgrade to the latest stunnel and OpenSSL first, than repeat your tests and report a problem. Best regards, Mike

2 1

Stunnel - Transfer loop executes not transferring any data.
by Michel Esber 18 Apr '05

18 Apr '05

Hello All, I am running a proprietary daemon on port 443 that accepts incoming connections. We are experiencing problems when activating stunnel on our production box. Everytime that we run our daemon with stunnel, our CPU and memory/swap area consumption is extremely intensive. Each stunnel process consumes approximately 37Mb of RSS memory. I have browsed through my logs and here is what I found: 2005.04.18 14:35:00 LOG3[15242:1245336]: transfer() loop executes not transferring any data 2005.04.18 14:35:06 LOG3[15242:1245336]: please report the problem to Michal.Trojnara(a)mirt.net 2005.04.18 14:35:06 LOG3[15242:1245336]: socket open rd=yes wr=yes, ssl open rd=yes wr=yes 2005.04.18 14:35:06 LOG3[15242:1245336]: socket ready rd=no wr=no, ssl ready rd=no wr=no 2005.04.18 14:35:06 LOG3[15242:1245336]: check_SSL_pending=0, ssl_closing=0 2005.04.18 14:35:06 LOG5[15242:1245336]: Connection reset: 258 bytes sent to SSL, 153319 bytes sent to socket Some details: a) My configuration file: [https] accept = 443 exec = /path/to/daemon execargs = daemon -ssl stunnel 4.07 on i686-pc-linux-gnu PTHREAD+POLL+IPv4+LIBWRAP with OpenSSL 0.9.6b [engine] 9 Jul 2001 Global options cert = /usr/local/etc/stunnel/stunnel.pem ciphers = ALL:!ADH:RC4+RSA:+SSLv2:@STRENGTH debug = 5 key = /usr/local/etc/stunnel/stunnel.pem pid = /usr/local/var/run/stunnel.pid RNDbytes = 64 RNDfile = /dev/urandom RNDoverwrite = yes session = 300 seconds verify = none Service-level options TIMEOUTbusy = 300 seconds TIMEOUTclose = 60 seconds TIMEOUTconnect = 10 seconds TIMEOUTidle = 43200 seconds b) glibc-2.2.4-31.7 glibc-devel-2.2.4-32.8 libcap-1.10-6 glibc-common-2.2.4-31.7 c) uname -a Linux myserver 2.4.9-e.57enterprise #1 SMP Thu Dec 2 20:45:51 EST 2004 i686 unknown d) gcc -v gcc version 2.96 20000731 (Red Hat Linux 7.2 2.96-118.7.2) e) openssl version OpenSSL 0.9.6b [engine] 9 Jul 2001 Can anyone shred some light? I believe I should upgrade some of my core components (gcc / openssl). I just need to make sure this is the right direction. Thanks in advance, X------------------- Michel Esber MCSE, MCSA, MCDBA Automatos - www.automatos.com US: 1 (866) 2293584

2 1

stunnel generating defuncts
by Serxio Barral 18 Apr '05

18 Apr '05

Hi there! I'm using stunnel as client with SuSE SLES 8. Usually after several days working OK (up to two weeks) it begins to generate defunct processes for every transfer. At first, stunnel version was 3.14 (the one that comes out of the box with SLES 8), but now I have downloaded an compiled 3.26 and it just happens the same. killing stunnel won't help, since relaunching it again turns on generating defuncts. Situation does not come back to normal until rebooting the server. Any hint on this issue? Thanks in advance, Serxio Barral.

1 0

stunnel generating defuncts
by SERXIO BARRAL PAN/ Generali-España 18 Apr '05

18 Apr '05

Hi there! I'm using stunnel as client with SuSE SLES 8. Usually after several days working OK (up to two weeks) it begins to generate defunct processes for every transfer. At first, stunnel version was 3.14 (the one that comes out of the box with SLES 8), but now I have downloaded an compiled 3.26 and it just happens the same. killing stunnel won't help, since relaunching it again turns on generating defuncts. Situation does not come back to normal until rebooting the server. Any hint on this issue? Thanks in advance, Serxio Barral.

1 0

Please Help! I keep getting the same error.
by Theodore W. Hildebrandt 11 Apr '05

11 Apr '05

Refer to my submission of 03/24/05: "error:1408F10B:SSL . . . " I had hoped that someone would tell me how to get around this error, but no message has appeared in the stunnel Archive. I have now ftp'd version 4.09 and tried it, with the same results. I wait and wait for a connection, and finally interrupt the process, since it's not going anywhere. And then I get the "error:1408F10B. . ." message in the stunnel log. Since I seem to be able to send e-mail from my old Pentium II computer (Windows 98SE) I'm, using it so send this message. [Note that I can still receive e-mail on the new Dell Pentium IV machine (Windows XP Home). I just can't send anything.] Doesn't anyone have answers? Ted Hildebrandt

1 0